Summary:


NtAccessCheck(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtWriteVirtualMemory(>)  4 
NtUserRegisterWindowMessage(>)  19 

NtAddAtom(>)  1 
NtContinue(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenThreadToken(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteFile(>)  5 
NtUnmapViewOfSection(>)  21 

NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtCreateSemaphore(>)  6 
NtCreateKey(>)  22 

NtCreateProcessEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtCreateSection(>)  27 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultLocale(>)  6 
NtQueryInformationFile(>)  27 

NtDeleteValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtOpenSection(>)  29 

NtGdiCreateBitmap(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtWaitForSingleObject(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtReleaseMutant(>)  2 
NtSetInformationFile(>)  8 
NtProtectVirtualMemory(>)  36 

NtGdiSelectBitmap(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtUserUnregisterClass(>)  46 

NtNotifyChangeKey(>)  1 
NtUserCloseDesktop(>)  2 
NtFsControlFile(>)  10 
NtMapViewOfSection(>)  48 

NtOpenKeyedEvent(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtUserDestroyWindow(>)  2 
NtQuerySection(>)  11 
NtQueryInformationProcess(>)  51 

NtQueryInformationJobObject(>)  1 
NtUserMessageCall(>)  2 
NtRequestWaitReplyPort(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtEnumerateValueKey(>)  3 
NtLockFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnlockFile(>)  13 
NtQueryAttributesFile(>)  68 

NtResumeThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtCreateEvent(>)  14 
NtQueryInformationToken(>)  72 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  3 
NtOpenProcessToken(>)  14 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtReadVirtualMemory(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserBuildNameList(>)  1 
NtSetEvent(>)  3 
NtQueryDebugFilterState(>)  16 
NtAllocateVirtualMemory(>)  88 

NtUserGetAtomName(>)  1 
NtUserGetObjectInformation(>)  3 
NtFlushInstructionCache(>)  17 
NtQuerySystemInformation(>)  88 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtFreeVirtualMemory(>)  17 
NtOpenFile(>)  90 

NtUserGetForegroundWindow(>)  1 
NtUserRemoveProp(>)  3 
NtQueryDirectoryFile(>)  17 
NtUserQueryWindow(>)  114 

NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtReadFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationThread(>)  17 
NtOpenKey(>)  288 

NtUserSetProp(>)  1 
NtUserBuildHwndList(>)  4 
NtCreateFile(>)  18 
NtClose(>)  385 


Trace:
 00001   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   408   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   408   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   408   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   408   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   408   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   408   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   408   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   408   NtClose  (12, ... ) == 0x0
 00014   408   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   408   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   408   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   408   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   408   NtClose  (16, ... ) == 0x0
 00021   408   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   408   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   408   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   408   NtClose  (16, ... ) == 0x0
 00026   408   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   408   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   408   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   408   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 396, 408, 1432, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 396, 408, 1432, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 396, 408, 1432, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   408   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   408   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   408   NtClose  (16, ... ) == 0x0
 00036   408   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   408   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   408   NtClose  (28, ... ) == 0x0
 00041   408   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   408   NtClose  (28, ... ) == 0x0
 00045   408   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   408   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   408   NtClose  (28, ... ) == 0x0
 00049   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   408   NtClose  (28, ... ) == 0x0
 00052   408   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 396, 408, 1435, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 396, 408, 1435, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 396, 408, 1435, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00057   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00058   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00059   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   408   NtClose  (28, ... ) == 0x0
 00062   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   408   NtClose  (28, ... ) == 0x0
 00065   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   408   NtClose  (28, ... ) == 0x0
 00068   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   408   NtClose  (28, ... ) == 0x0
 00071   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00072   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00073   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00074   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00075   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00076   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00077   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   408   NtClose  (28, ... ) == 0x0
 00080   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   408   NtClose  (28, ... ) == 0x0
 00083   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   408   NtClose  (28, ... ) == 0x0
 00086   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00087   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00088   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00089   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   408   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00091   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00094   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00095   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00096   408   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00097   408   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00098   408   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   408   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00101   408   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   408   NtClose  (40, ... ) == 0x0
 00103   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00105   408   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00106   408   NtClose  (40, ... ) == 0x0
 00107   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   408   NtClose  (36, ... ) == 0x0
 00109   408   NtClose  (28, ... ) == 0x0
 00110   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00111   408   NtClose  (32, ... ) == 0x0
 00112   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00113   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00114   408   NtClose  (32, ... ) == 0x0
 00115   408   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00116   408   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00117   408   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00118   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00119   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00120   408   NtClose  (32, ... ) == 0x0
 00121   408   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00122   408   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00123   408   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00124   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00125   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00126   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00127   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00131   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   408   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   408   NtClose  (32, ... ) == 0x0
 00135   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   408   NtClose  (28, ... ) == 0x0
 00137   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00141   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   408   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   408   NtClose  (28, ... ) == 0x0
 00145   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   408   NtClose  (32, ... ) == 0x0
 00147   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00148   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00149   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00150   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00151   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00152   408   NtClose  (32, ... ) == 0x0
 00153   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00154   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00155   408   NtClose  (32, ... ) == 0x0
 00156   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00157   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00158   408   NtClose  (32, ... ) == 0x0
 00159   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00160   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00161   408   NtClose  (32, ... ) == 0x0
 00162   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 32, ) }, ... 32, ) == 0x0
 00163   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00164   408   NtClose  (32, ... ) == 0x0
 00165   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00166   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00167   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00168   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00169   408   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00170   408   NtClose  (32, ... ) == 0x0
 00171   408   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00172   408   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00173   408   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00174   408   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00175   408   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00176   408   NtClose  (32, ... ) == 0x0
 00177   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00178   408   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00179   408   NtClose  (32, ... ) == 0x0
 00180   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00181   408   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182   408   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   408   NtClose  (32, ... ) == 0x0
 00184   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00185   408   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   408   NtClose  (32, ... ) == 0x0
 00187   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00188   408   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00189   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00191   408   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 396, 408, 1447, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 396, 408, 1447, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 396, 408, 1447, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00192   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   408   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00194   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00195   408   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00196   408   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00197   408   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00198   408   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00199   408   NtClose  (-2147482208, ... ) == 0x0
 00200   408   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5570560, 4096, ) == 0x0
 00201   408   NtFreeVirtualMemory  (-1, (0x550000), 4096, 32768, ... (0x550000), 4096, ) == 0x0
 00202   408   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00203   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00204   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   408   NtClose  (-2147482208, ... ) == 0x0
 00206   408   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00207   408   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   408   NtClose  (-2147482208, ... ) == 0x0
 00209   408   NtQueryDefaultLocale  (0, -136181236, ... ) == 0x0
 00210   408   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00211   408   NtUserCallNoParam  (24, ... ) == 0x0
 00212   408   NtGdiCreateCompatibleDC  (0, ...
 00213   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5570560, 4096, ) == 0x0
 00212   408   NtGdiCreateCompatibleDC  ... ) == 0x2010416
 00214   408   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00215   408   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00216   408   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x1050417
 00217   408   NtGdiCreateSolidBrush  (0, 0, ...
 00218   408   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8781824, 4096, ) == 0x0
 00217   408   NtGdiCreateSolidBrush  ... ) == 0x1100418
 00219   408   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00220   408   NtGdiCreateCompatibleDC  (0, ... ) == 0x1010419
 00221   408   NtGdiSelectBitmap  (16843801, 17105943, ... ) == 0x185000f
 00222   408   NtUserGetThreadDesktop  (408, 0, ... ) == 0x2c
 00223   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00224   408   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00225   408   NtClose  (52, ... ) == 0x0
 00226   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00227   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00228   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00229   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00230   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00231   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00232   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00233   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00234   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00235   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00236   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00237   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00238   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00239   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00240   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00241   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00242   408   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00243   408   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00244   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc020
 00245   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00246   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00247   408   NtAllocateVirtualMemory  (-1, 5730304, 0, 4096, 4096, 32, ... 5730304, 4096, ) == 0x0
 00246   408   NtUserRegisterClassExWOW  ... ) == 0x810dc023
 00248   408   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00249   408   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00250   408   NtCallbackReturn  (0, 0, 0, ...
 00251   408   NtGdiInit  (... ) == 0x1
 00252   408   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00253   408   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00254   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00255   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00256   408   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00257   408   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00258   408   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00259   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00260   408   NtClose  (52, ... ) == 0x0
 00261   408   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00262   408   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00264   408   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00265   408   NtClose  (52, ... ) == 0x0
 00266   408   NtQueryDefaultUILanguage  (1241756, ...
 00267   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00269   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   408   NtClose  (-2147482208, ... ) == 0x0
 00271   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00272   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00274   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   408   NtClose  (-2147482196, ... ) == 0x0
 00276   408   NtClose  (-2147482208, ... ) == 0x0
 00266   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   408   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00279   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00280   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00281   408   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 8323072, ) == 0x0
 00282   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   408   NtQueryDefaultUILanguage  (2013024600, ...
 00284   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00285   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00286   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   408   NtClose  (-2147482208, ... ) == 0x0
 00288   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00289   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00291   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   408   NtClose  (-2147482196, ... ) == 0x0
 00293   408   NtClose  (-2147482208, ... ) == 0x0
 00283   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00294   408   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00295   408   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00296   408   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00297   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1448, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1448, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1448, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00299   408   NtClose  (52, ... ) == 0x0
 00300   408   NtClose  (56, ... ) == 0x0
 00301   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00302   408   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00303   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00304   408   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00305   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00306   408   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   408   NtClose  (56, ... ) == 0x0
 00308   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00314   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00316   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00317   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00319   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00320   408   NtClose  (52, ... ) == 0x0
 00321   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 921600, ) == 0x0
 00322   408   NtClose  (60, ... ) == 0x0
 00323   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00324   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00325   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00326   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00327   408   NtClose  (60, ... ) == 0x0
 00328   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00329   408   NtClose  (52, ... ) == 0x0
 00330   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00331   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00332   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00333   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00334   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00335   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00336   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00337   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00338   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00339   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00340   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00341   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00342   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   408   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   408   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   408   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   408   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00352   408   NtQueryDefaultUILanguage  (1239368, ...
 00353   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00354   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00355   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00356   408   NtClose  (-2147482208, ... ) == 0x0
 00357   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00358   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00360   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   408   NtClose  (-2147482196, ... ) == 0x0
 00362   408   NtClose  (-2147482208, ... ) == 0x0
 00352   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00363   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00365   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00366   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00367   408   NtClose  (52, ... ) == 0x0
 00368   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 4096, ) == 0x0
 00369   408   NtClose  (60, ... ) == 0x0
 00370   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00371   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00372   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00373   408   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00374   408   NtClose  (60, ... ) == 0x0
 00375   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 4096, ) == 0x0
 00376   408   NtClose  (52, ... ) == 0x0
 00377   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00378   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00379   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00380   408   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 4096, ) == 0x0
 00381   408   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00382   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1449, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1449, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1449, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00384   408   NtClose  (52, ... ) == 0x0
 00385   408   NtClose  (60, ... ) == 0x0
 00386   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00387   408   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00388   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00389   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00390   408   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00391   408   NtUserGetDC  (0, ... ) == 0x1010050
 00392   408   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00393   408   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00394   408   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00395   408   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00396   408   NtAccessCheck  (1394776, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00397   408   NtClose  (60, ... ) == 0x0
 00398   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00399   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00400   408   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00401   408   NtClose  (60, ... ) == 0x0
 00402   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00403   408   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00404   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00405   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   408   NtClose  (52, ... ) == 0x0
 00407   408   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00408   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00409   408   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00411   408   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   408   NtClose  (64, ... ) == 0x0
 00413   408   NtClose  (52, ... ) == 0x0
 00414   408   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00415   408   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00416   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00417   408   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00418   408   NtClose  (52, ... ) == 0x0
 00419   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00420   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00421   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00422   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00423   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00424   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00426   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00428   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00429   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00431   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00433   408   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00434   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00436   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00438   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00440   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00441   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00442   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00443   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00444   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00445   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00446   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00447   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00448   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00449   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00450   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00451   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00452   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00453   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00454   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00455   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00456   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00457   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00458   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00459   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00460   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00461   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00462   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00463   408   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00464   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00465   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01e
 00466   408   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00467   408   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ...
 00468   408   NtAllocateVirtualMemory  (-1, 5734400, 0, 4096, 4096, 32, ... 5734400, 4096, ) == 0x0
 00467   408   NtUserRegisterClassExWOW  ... ) == 0x810dc01b
 00469   408   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00470   408   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00471   408   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00472   408   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00473   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00474   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00475   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03b
 00476   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00477   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03d
 00478   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00479   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00480   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03f
 00481   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00482   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00483   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc041
 00484   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00485   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00486   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc043
 00487   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00488   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc045
 00489   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00490   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00491   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc047
 00492   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00493   408   NtUserFindExistingCursorIcon  (1242872, 1242888, 1243456, ... ) == 0x10011
 00494   408   NtUserRegisterClassExWOW  (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810dc049
 00495   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00496   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00497   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04b
 00498   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00499   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00500   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04d
 00501   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00502   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00503   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04f
 00504   408   NtUserGetClassInfo  (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0
 00505   408   NtUserRegisterClassExWOW  (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810dc051
 00506   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00507   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00508   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc053
 00509   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00510   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00511   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc055
 00512   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc057
 00513   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00514   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00515   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc059
 00516   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00517   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10013
 00518   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05b
 00519   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00520   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00521   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05d
 00522   408   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00523   408   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00524   408   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05f
 00525   408   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {396, 0}, ... 52, ) == 0x0
 00526   408   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00527   408   NtClose  (52, ... ) == 0x0
 00528   408   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00529   408   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00530   408   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00531   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00532   408   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   408   NtClose  (52, ... ) == 0x0
 00534   408   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00535   408   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00536   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b
 00537   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d
 00538   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f
 00539   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041
 00540   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043
 00541   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045
 00542   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047
 00543   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049
 00544   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b
 00545   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d
 00546   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f
 00547   408   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051
 00548   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053
 00549   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055
 00550   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059
 00551   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b
 00552   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d
 00553   408   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f
 00554   408   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00555   408   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00556   408   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00557   408   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00558   408   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00559   408   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00560   408   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00561   408   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00562   408   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00563   408   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00564   408   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00565   408   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00566   408   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00567   408   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00568   408   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00569   408   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00570   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00572   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00573   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00574   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9109504, 262144, ) == 0x0
 00575   408   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00576   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00577   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9371648, 262144, ) == 0x0
 00578   408   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00579   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00580   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9633792, 262144, ) == 0x0
 00581   408   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 00582   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583   408   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9895936, 262144, ) == 0x0
 00584   408   NtAllocateVirtualMemory  (-1, 9895936, 0, 4096, 4096, 4, ... 9895936, 4096, ) == 0x0
 00585   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00586   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00587   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00589   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 00590   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00591   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 64, ) == 0x0
 00592   408   NtClose  (52, ... ) == 0x0
 00593   408   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 90112, ) == 0x0
 00594   408   NtClose  (64, ... ) == 0x0
 00595   408   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00596   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239688, ... ) }, 1239688, ... ) == 0x0
 00597   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00598   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 52, ) == 0x0
 00599   408   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00600   408   NtClose  (64, ... ) == 0x0
 00601   408   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00602   408   NtClose  (52, ... ) == 0x0
 00603   408   NtQueryDefaultLocale  (1, 1241376, ... ) == 0x0
 00604   408   NtAllocateVirtualMemory  (-1, 9113600, 0, 4096, 4096, 4, ... 9113600, 4096, ) == 0x0
 00605   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00606   408   NtClose  (52, ... ) == 0x0
 00607   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   408   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00612   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00613   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   408   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00615   408   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00616   408   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00617   408   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00618   408   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00619   408   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00620   408   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00621   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00622   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00623   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00624   408   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00625   408   NtClose  (68, ... ) == 0x0
 00626   408   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00627   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00630   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00631   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00632   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   408   NtClose  (68, ... ) == 0x0
 00636   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00637   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   408   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   408   NtClose  (68, ... ) == 0x0
 00640   408   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   408   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00642   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   408   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   408   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00646   408   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00647   408   NtQueryDefaultUILanguage  (1241768, ...
 00648   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00649   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00650   408   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00651   408   NtClose  (-2147482208, ... ) == 0x0
 00652   408   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00653   408   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   408   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00655   408   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   408   NtClose  (-2147482196, ... ) == 0x0
 00657   408   NtClose  (-2147482208, ... ) == 0x0
 00647   408   NtQueryDefaultUILanguage  ... ) == 0x0
 00658   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00660   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00661   408   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9b0000), 0x0, 593920, ) == 0x0
 00662   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   408   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00664   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   408   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 396, 408, 1450, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 396, 408, 1450, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00666   408   NtClose  (72, ... ) == 0x0
 00667   408   NtClose  (76, ... ) == 0x0
 00668   408   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00669   408   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00670   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00671   408   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00673   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00674   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00676   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00677   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00678   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00679   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00680   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00681   408   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00682   408   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00683   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00684   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 88, ) }, ... 88, ) == 0x0
 00685   408   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00686   408   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00687   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00688   408   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00689   408   NtTestAlert  (... ) == 0x0
 00690   408   NtContinue  (1244464, 1, ...
 00691   408   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x404118,}, 4, ... ) == 0x0
 00692   408   NtQueryPerformanceCounter  (... {110677088, 0}, {3579545, 0}, ) == 0x0
 00693   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00694   408   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10158080, 65536, ) == 0x0
 00695   408   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 00696   408   NtAllocateVirtualMemory  (-1, 10162176, 0, 8192, 4096, 4, ... 10162176, 8192, ) == 0x0
 00697   408   NtAllocateVirtualMemory  (-1, 10170368, 0, 4096, 4096, 4, ... 10170368, 4096, ) == 0x0
 00698   408   NtAllocateVirtualMemory  (-1, 10174464, 0, 4096, 4096, 4, ... 10174464, 4096, ) == 0x0
 00699   408   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10223616, 4096, ) == 0x0
 00700   408   NtProtectVirtualMemory  (-1, (0x9c0000), 6, 64, ...
 00701   408   NtContinue  (-136184020, 0, ...
 00700   408   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00702   408   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 00703   408   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00704   408   NtDeleteValueKey  (100,  (100, "Z", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   408   NtClose  (100, ... ) == 0x0
 00706   408   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241352,  (0x40100080, {24, 0, 0x42, 0, 1241352, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00707   408   NtClose  (-2147482208, ... ) == 0x0
 00706   408   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00708   408   NtQueryVolumeInformationFile  (100, 1241456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00709   408   NtAllocateVirtualMemory  (-1, 10178560, 0, 8192, 4096, 4, ... 10178560, 8192, ) == 0x0
 00710   408   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00711   408   NtClose  (100, ... ) == 0x0
 00712   408   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235052, ... ) }, 1235052, ... ) == 0x0
 00714   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00715   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00716   408   NtClose  (100, ... ) == 0x0
 00717   408   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 262144, ) == 0x0
 00718   408   NtClose  (104, ... ) == 0x0
 00719   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 00720   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00721   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00722   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00723   408   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00724   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 104, {status=0x0, info=0}, ) }, 7, 16, ... 104, {status=0x0, info=0}, ) == 0x0
 00725   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;g\12\352\301\1F\2576\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00726   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00727   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00728   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00729   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00730   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00731   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00732   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00733   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00734   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\274\222\360T\245\302Rh~\346\212:CW\343\322\361\335\311~:Z&\7-z\341\240\207G\312\335\344\235\377\370\304\261.K\377\305$\310\260K\12vr\236\254C%\210\1\21\364}\201u\325UI^@\242\35f#h]\272\12{\343\202\257\311Bv", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\274\222\360T\245\302Rh~\346\212:CW\343\322\361\335\311~:Z&\7-z\341\240\207G\312\335\344\235\377\370\304\261.K\377\305$\310\260K\12vr\236\254C%\210\1\21\364}\201u\325UI^@\242\35f#h]\272\12{\343\202\257\311Bv", 80, ... ) , 80, ... ) == 0x0
 00735   408   NtClose  (-2147482208, ... ) == 0x0
 00725   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "b\212Yl\250\331RS\252F\320h\316\207\177\26\33\356m\351\250C\15\365\33\207Sy\320Y\357\370\263)O>\220\370\350\271\237l\313\273a\35('\220\330'\315\228fg-\6EG\314\7X\374\32\310\207=\31\5\7\231\10\303\342\212\24\376\335\23\274<\263\265\177\242v(\311a\341\3331\270B\340A\27ps\346\204Y\326*U\11\267\24\332=PC{\371\323\242\363F\367\0\12\361\24o\303\4n\177/4\11}V\306\5i<&\304\350\313<[\262\300\257\21\266\276\361\371\21=\262\231\205\251\316\253\230\327f\301f\351\242\247\226\245;\374Q3\224\213h\34\363\213\3340\5\3255i|C\307u"p\241\344\3501\2233\217\342a{_\317\342\223\6\14T\15\3\245\254\224\202w\331\305_\257M\3071\15\302F\362\305*g\227\245eh0\367\37\357\356\353\273d\221\0\271+:|\257p6T\215\13\225", ) p\241\344\3501\2233\217\342a{_\317\342\223\6\14T\15\3\245\254\224\202w\331\305_\257M\3071\15\302F\362\305*g\227\245eh0\367\37\357\356\353\273d\221\0\271+:|\257p6T\215\13\225", ) == 0x0
 00736   408   NtAllocateVirtualMemory  (-1, 1429504, 0, 16384, 4096, 4, ... 1429504, 16384, ) == 0x0
 00737   408   NtUserRegisterClassExWOW  (1237136, 1237216, 1237200, 1237232, 0, 384, 0, ... ) == 0x810dc038
 00738   408   NtUserGetAtomName  (49208, 1235900, ... ) == 0x15
 00739   408   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00740   408   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00741   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233424, ... ) }, 1233424, ... ) == 0x0
 00742   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00743   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00744   408   NtClose  (100, ... ) == 0x0
 00745   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 204800, ) == 0x0
 00746   408   NtClose  (108, ... ) == 0x0
 00747   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 00748   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 00749   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00750   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00751   408   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00752   408   NtClose  (108, ... ) == 0x0
 00753   408   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00754   408   NtClose  (100, ... ) == 0x0
 00755   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00756   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00757   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00758   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00759   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00760   408   NtClose  (100, ... ) == 0x0
 00761   408   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00762   408   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 00763   408   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   408   NtClose  (108, ... ) == 0x0
 00765   408   NtClose  (100, ... ) == 0x0
 00766   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00767   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00768   408   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00769   408   NtClose  (100, ... ) == 0x0
 00770   408   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00771   408   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00772   408   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   408   NtClose  (108, ... ) == 0x0
 00774   408   NtClose  (100, ... ) == 0x0
 00775   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == 0x0
 00778   408   NtUserGetProcessWindowStation  (... ) == 0x28
 00779   408   NtUserGetObjectInformation  (40, 2, 0, 0, 1235536, ... ) == 0x0
 00780   408   NtUserGetObjectInformation  (40, 2, 1441872, 16, 1235536, ... ) == 0x1
 00781   408   NtUserGetGUIThreadInfo  (408, 1235492, ... ) == 0x1
 00782   408   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 00783   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1452, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1452, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1452, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00784   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1453, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1453, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1453, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00785   408   NtUserCallNoParam  (29, ...
 00786   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232784, ... ) }, 1232784, ... ) == 0x0
 00785   408   NtUserCallNoParam  ... ) == 0x0
 00787   408   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00788   408   NtGdiHfontCreate  (1234864, 356, 0, 0, 1413832, ... ) == 0x70a0382
 00789   408   NtGdiHfontCreate  (1234864, 356, 0, 0, 1413824, ... ) == 0x40a0383
 00790   408   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1454, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 396, 408, 1454, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 396, 408, 1454, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00791   408   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9c0000), {0, 0}, 331776, ) == 0x0
 00792   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00793   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00794   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00795   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00796   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00797   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00798   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00799   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00800   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00801   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00802   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00803   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00804   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00805   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00806   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00807   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00808   408   NtUserGetWindowDC  (0, ... ) == 0x1010052
 00809   408   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x210041e
 00810   408   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00811   408   NtUserCallNoParam  (29, ...
 00812   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232228, ... ) }, 1232228, ... ) == 0x0
 00811   408   NtUserCallNoParam  ... ) == 0x0
 00813   408   NtUserCallNoParam  (29, ...
 00814   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232224, ... ) }, 1232224, ... ) == 0x0
 00813   408   NtUserCallNoParam  ... ) == 0x0
 00815   408   NtUserMessageCall  (0x200b4, WM_NCCREATE, 0x0, 0x12db68, 0, 670, 0, ... ) == 0x1
 00816   408   NtUserMessageCall  (0x200b4, WM_NCCALCSIZE, 0x0, 0x12db90, 0, 670, 0, ... ) == 0x0
 00817   408   NtUserSetProp  (131252, 43288, -1, ... ) == 0x1
 00739   408   NtUserCreateWindowEx  ... ) == 0x200b4
 00818   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00819   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00820   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00821   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00822   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00823   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00824   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00825   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00826   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00827   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "l(Fo\374\256@\213\347\261Q{\341\355\20]\205\3719\373\24o\220\211\242\275!-\276\34\317\216\377\253PY\7\242\32\234g\262s\304\3203Y\321D\242]\347\360\230\251oN3,\333\256h\226Y\4\227\231\261\253*\246\372\272H\26\377\377\220\365.", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "l(Fo\374\256@\213\347\261Q{\341\355\20]\205\3719\373\24o\220\211\242\275!-\276\34\317\216\377\253PY\7\242\32\234g\262s\304\3203Y\321D\242]\347\360\230\251oN3,\333\256h\226Y\4\227\231\261\253*\246\372\272H\26\377\377\220\365.", 80, ... ) , 80, ... ) == 0x0
 00828   408   NtClose  (-2147482208, ... ) == 0x0
 00818   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "9\236\322c5\336(+ \301F\256\300\351\305\22\243,\211>\246?;F\353iw^J\225de\31\364J?*w\35\264\307\244\323\34\225\260\205\317\330\334\340\351\217\270\274\346\303\321\314\275\263\310\372\333H\316\2204\23\230F\27(.z\270m1\253E\362$\314c^\235\356\270\325d\233\225\364+U\226\5\254\245@\1\3028iC\260\226\5\11\364\21\23\216@^CR\240\352Y"\205\331\36\337b\23\370F?\214\210\210(G\34"\310B\231\79\247\2739\277\251\255\16\324\271\352\262\250\237\220\210\342T\1774\216Y\313\17\34g#b#S\25p M\276\303\204Q\205&#l\212\261\32Uv\224j %\321!\240#uK\37\350\264B\205!\376\$h\324k\313\262\372\334\314\262\240\204\231)E\316\23\246)\346*&\14\314\354s\206\35F\227\237\244WE\24\230P[\312d\377\212\257\372\276\351XQ\215", ) \205\331\36\337b\23\370F?\214\210\210(G\34 ... {status=0x0, info=256}, "9\236\322c5\336(+ \301F\256\300\351\305\22\243,\211>\246?;F\353iw^J\225de\31\364J?*w\35\264\307\244\323\34\225\260\205\317\330\334\340\351\217\270\274\346\303\321\314\275\263\310\372\333H\316\2204\23\230F\27(.z\270m1\253E\362$\314c^\235\356\270\325d\233\225\364+U\226\5\254\245@\1\3028iC\260\226\5\11\364\21\23\216@^CR\240\352Y"\205\331\36\337b\23\370F?\214\210\210(G\34"\310B\231\79\247\2739\277\251\255\16\324\271\352\262\250\237\220\210\342T\1774\216Y\313\17\34g#b#S\25p M\276\303\204Q\205&#l\212\261\32Uv\224j %\321!\240#uK\37\350\264B\205!\376\$h\324k\313\262\372\334\314\262\240\204\231)E\316\23\246)\346*&\14\314\354s\206\35F\227\237\244WE\24\230P[\312d\377\212\257\372\276\351XQ\215", ) , ) == 0x0
 00829   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00830   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00831   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00832   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00833   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00834   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00835   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00836   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00837   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00838   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\344\230\244\37\234N\3724\235\341\35R\374\204\230\32\242G"`\220\312\363\6e\232j\21574\5{\237w\27G;\12Rz\324\276\212\27\243Hl\7\246\20\315\252\34M].\302vm\232\366\254\370\312S\314\213\21\352\36\0CA\244\25{z\14\260\337", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\344\230\244\37\234N\3724\235\341\35R\374\204\230\32\242G"`\220\312\363\6e\232j\21574\5{\237w\27G;\12Rz\324\276\212\27\243Hl\7\246\20\315\252\34M].\302vm\232\366\254\370\312S\314\213\21\352\36\0CA\244\25{z\14\260\337", 80, ... ) `\220\312\363\6e\232j\21574\5{\237w\27G;\12Rz\324\276\212\27\243Hl\7\246\20\315\252\34M].\302vm\232\366\254\370\312S\314\213\21\352\36\0CA\244\25{z\14\260\337", 80, ... ) == 0x0
 00839   408   NtClose  (-2147482208, ... ) == 0x0
 00829   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\305\235\340\24;y_\250\11\215>T8\216\347Z\270*\272\36\373\272\310\301\212\335\310\323\11Y\325\256J\26y\346\32\32\337\363\167H6\262\\326\300+\210y\257*\22\266\327\26\10\203\344\204Y\310\365\215\22\217@\214\21\324\363\253\342\363\333\304\13\14\273\366\213\33\206j+\265\34\270\355\326\273q\3\311\275=\342\274Ii?P\231(\355x\216\177\322\2044\232`\235\320K\253\205\235?\274\6d\343\300\245y?\321\264\354\37\21\367{\244\21\362\31Z\225\7|P\5\202\334\27\364w_p", ) Z\270*\272\36\373\272\310\301\212\335\310\323\11Y\325\256J\26y\346\32\32\337\363\167H6\262\\326\300+\210y\257*\22\266\327\26\10\203\344\204Y\310\365\215\22\217@\214\21\324\363\253\342\363\333\304\13\14\273\366\213\33\206j+\265\34\270\355\326\273q\3\311\275=\342\274Ii?P\231(\355x\216\177\322\2044\232`\235\320K\253\205\235?\274\6d\343\300\245y?\321\264\354\37\21\367{\244\21\362\31Z\225\7|P\5\202\334\27\364w_p", ) == 0x0
 00840   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00841   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00842   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00843   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00844   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00845   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00846   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00847   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00848   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00849   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\344"\260\345\33\334\257\362/\336\351O\220\311P\337,\363q\2\275\236\353Y0, 3,  (-2147482208, "Seed", 0, 3, "\344"\260\345\33\334\257\362/\336\351O\220\311P\337,\363q\2\275\236\353Y260\345\33\334\257\362/\336\351O\220\311P\337,\363q\2\275\236\353Y2036\30\335\2423\361\343\313=\340\357\242\227L\214\347\351#&pS\211\216@8D\311`\357x\327 \200\255\11\307\275\373\376W7!\342\331\340\337\316\207\211\245\26", 80, ... ) == 0x0
 00850   408   NtClose  (-2147482208, ... ) == 0x0
 00840   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "X'\3\374_B\201\356\201t\361\257|\37\312\372\322\205\236"\252p\36\311[\235\257\317y\232-j\14\177r\27\277\320\37nL9\350\203\236\340\260^\376\255n\272\272\362\232\6*\270\361\275\325\374\20!\344\272}\330"F\263\30\354\247\265\322!\340S6\4R\232\255\326\2101\357ne>K\205\10\31\332\335k\310;\226\374WrZ\342#\376\347\215\322La\273f\232\241mf\373\245f\204\3&D\32Z\306\272\31/\351wF\267\271\235\310J\256\310$#GWd\332\252\5\341\335\351\242\346\307\277\256\21\222\211\270\2\345\314R\3261dm\316\343D\213K\221oc\235k'Z\251\317\227e\310\177K\333j\375\274V\169\322\227\340\200yP\355\33\362\357v@\346\16\365\235\264\271f\305\310y\273<\307r8\341\306\345@\233|}\326W\223uB\202L\251\26, ) \252p\36\311[\235\257\317y\232-j\14\177r\27\277\320\37nL9\350\203\236\340\260^\376\255n\272\272\362\232\6*\270\361\275\325\374\20!\344\272}\330 ... {status=0x0, info=256}, "X'\3\374_B\201\356\201t\361\257|\37\312\372\322\205\236"\252p\36\311[\235\257\317y\232-j\14\177r\27\277\320\37nL9\350\203\236\340\260^\376\255n\272\272\362\232\6*\270\361\275\325\374\20!\344\272}\330"F\263\30\354\247\265\322!\340S6\4R\232\255\326\2101\357ne>K\205\10\31\332\335k\310;\226\374WrZ\342#\376\347\215\322La\273f\232\241mf\373\245f\204\3&D\32Z\306\272\31/\351wF\267\271\235\310J\256\310$#GWd\332\252\5\341\335\351\242\346\307\277\256\21\222\211\270\2\345\314R\3261dm\316\343D\213K\221oc\235k'Z\251\317\227e\310\177K\333j\375\274V\169\322\227\340\200yP\355\33\362\357v@\346\16\365\235\264\271f\305\310y\273<\307r8\341\306\345@\233|}\326W\223uB\202L\251\26, ) , ) == 0x0
 00851   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00852   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00853   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00854   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00855   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00856   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00857   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00858   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00859   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00860   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "1\345\o\24 \177\246\357\341\365\220K\272hn\253\216-3\372\255\203\210\21\231\322\34\247ub/=F\267j\365:\232*9,_\243\223h\365Pl\3418u\12\4E3\316\2\261\336'\335m\252s\221t8g\245\0H\200\260\341\32R\207\24", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "1\345\o\24 \177\246\357\341\365\220K\272hn\253\216-3\372\255\203\210\21\231\322\34\247ub/=F\267j\365:\232*9,_\243\223h\365Pl\3418u\12\4E3\316\2\261\336'\335m\252s\221t8g\245\0H\200\260\341\32R\207\24", 80, ... ) , 80, ... ) == 0x0
 00861   408   NtClose  (-2147482208, ... ) == 0x0
 00851   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "]\262=\200\26\365\23\34\356m\263\202\14\22\323,\344E\230w\16lr\353 \211e\24g\315\260]a)g\230\2\207\232'Y\263*qb\363\205\26\305d\22\372K\3640\240\223A\373*\222\32a\4=k\3637\5\245\37[\253HL\373\256)R\372\310E\213\2\315\267\306\326t\372\311^\253\340\307\275u\272\376:d\356\215Q\355R)\375\275\222\25\31\14\362\304\321\332\224\223hG\276\242>&\243\216\257\371';~\226d\307\204\235f\31\200x\221\13\11Qx\243\307\302\306\363[S\263\251/\322r\226\215\4\252\310\322\3658u)\217\28\364X\274}\344p1Z\275\206p\225\204\325\363\271H\354\16^t\241\227\15Y~i\265\366[\316\300\212\255\11k\335\334\367\3577Z,I\22e1Jt\21\31\226\333\372\300\323`\363\307]8\223\371\325x\246R\211\267\33", ) , ) == 0x0
 00862   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00863   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00864   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00865   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00866   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00867   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00868   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00869   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00870   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00871   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\212>W\247\263Y\233(\1o\276Z\311\235\12\2673Q\212\357\245\322\232\362\230`\216&g\233\365 c\260\247\361\6B\363\346$l\25\321m2 ;-\375A%\3\372\260!6\252\33\31\341j\327\322\316#\210\246\354\257\236\333\313\256g0d\25\2578", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\212>W\247\263Y\233(\1o\276Z\311\235\12\2673Q\212\357\245\322\232\362\230`\216&g\233\365 c\260\247\361\6B\363\346$l\25\321m2 ;-\375A%\3\372\260!6\252\33\31\341j\327\322\316#\210\246\354\257\236\333\313\256g0d\25\2578", 80, ... ) , 80, ... ) == 0x0
 00872   408   NtClose  (-2147482208, ... ) == 0x0
 00862   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\20\201\201\227#\10P\257\347\373\271\254\260(M\374\246\243N|\334\363\357\\332\352\361\14\353\3666\374\30E.g\377\310\202 \0", ) , ) == 0x0
 00873   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00874   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00875   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00876   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00877   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00878   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00879   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00880   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00881   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00882   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\11\31\343\225\330-\32\2 \326\256\2359\216b\370R\276\216\20e\214\200\275\216Lp\337\344W\223\371\246\302Z"\5\324\35\307\273j\1M\265\267q:\332\260\303o\274\217t\6\10?Xb\341\270\2333A\356\11\210\313\227\367qy\273Q\307O\35\347\207", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\11\31\343\225\330-\32\2 \326\256\2359\216b\370R\276\216\20e\214\200\275\216Lp\337\344W\223\371\246\302Z"\5\324\35\307\273j\1M\265\267q:\332\260\303o\274\217t\6\10?Xb\341\270\2333A\356\11\210\313\227\367qy\273Q\307O\35\347\207", 80, ... ) \5\324\35\307\273j\1M\265\267q:\332\260\303o\274\217t\6\10?Xb\341\270\2333A\356\11\210\313\227\367qy\273Q\307O\35\347\207", 80, ... ) == 0x0
 00883   408   NtClose  (-2147482208, ... ) == 0x0
 00873   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\252\316\255\320\365)!C2A(4@c\270\23\30\247N\257\251,\222\305 Lt\373^\1\301g\347\11\341n\363\203 S\210\266\23\263\365\317\34V\267\263\12\246,\6\23\312r\236DNq\313/\355\206\33\21Ob_\20W\303\37W`\372P\2257r\255\22\327oV\337\229\305*\212\327V\2p\210\275\221(<\242\236S{\237\10\276\262 \203it\350\362\2167\3665\373\363\326l\323y\277C\256&\232s\12l\257\302\236RZu\245\301\262\15\247\310\336>\6\6\346\307\61\306\2451\325R6\252zm\33b\307\37\225!Lf\20\33\270\345\362Tw\331\0\262\7S\370\317Ip3\255vl\361\302\210:\16Y\206\265Z\31\353\324\271\211g\20\301\344\14\351\374\240,E\2S\254\213\315\2117\354\331m\353\234\354\26C\366\242\215\342\343\216\315\23=\15Z)\203\326\344\11GN%\245\310\207d\251\225\1\211", ) , ) == 0x0
 00884   408   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;\226, 256, 256, ... , 256, 256, ...
 00885   408   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00886   408   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00887   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00888   408   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00889   408   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00890   408   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00891   408   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00892   408   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00893   408   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\332[\321v\222\326K\355Cae\265\313\276_\200\260\33;X+tPs\371\3\233\370\0\220F\362\20\370\256\243D\3450\241\322\332?,q\212`m\20(\223#\332d\316I\327\247\363|\224\317?\233\216\343\352\272s[\345\326\4\321\11\266\357\332\315A", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\332[\321v\222\326K\355Cae\265\313\276_\200\260\33;X+tPs\371\3\233\370\0\220F\362\20\370\256\243D\3450\241\322\332?,q\212`m\20(\223#\332d\316I\327\247\363|\224\317?\233\216\343\352\272s[\345\326\4\321\11\266\357\332\315A", 80, ... ) , 80, ... ) == 0x0
 00894   408   NtClose  (-2147482208, ... ) == 0x0
 00884   408   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\\376\31\231\357>\275\2p)\215\26\251N\177\304\4\257Rg\200y\2213J\336\224\337\310K\274\16\213\26\207\4\327\213}\344M\342f\315\232\336\214\303\244\334{\370\260{i|\243_G\221\12\356\217\33L\36\356)6\373V\374DC\26\360I\367\244\216\202lf\271%\203(Z\236e\250\222e\0Sx)\266\310\371\333\207}\305}\277\344\2556\2745+yG\23\35\255\267\233\22\211\225\357\225\23\177\253\14\250\246\27\34qX\31\350\207Zd\205lY+o\272\270\235\6\341\320\7\36\247\22\25%?\373\226A\21074}@\24R\6IEy\334PdI\323\327\15\377T\25b\L\255\374\6\330\357\34\4\261\15\307\3101\214\27\211\231\325\10Z\14f\256c\2324\321\363\266x'\252\2\23\302\23\347t\315\321\370s+\330\313\355\263\245A0\256\212Q\201^\237{_(x\257\374f&\247\307V\211\241\224><\227", ) , ) == 0x0
 00895   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 112, ) }, ... 112, ) == 0x0
 00896   408   NtQueryValueKey  (112,  (112, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 00898   408   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   408   NtClose  (116, ... ) == 0x0
 00900   408   NtClose  (112, ... ) == 0x0
 00901   408   NtAllocateVirtualMemory  (-1, 1445888, 0, 24576, 4096, 4, ... 1445888, 24576, ) == 0x0
 00902   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == 0x0
 00906   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00907   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00908   408   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   408   NtClose  (112, ... ) == 0x0
 00910   408   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00911   408   NtClose  (116, ... ) == 0x0
 00912   408   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00915   408   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   408   NtClose  (116, ... ) == 0x0
 00917   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00919   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00920   408   NtQuerySystemTime  (... {-1964664232, 29870591}, ) == 0x0
 00921   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00922   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   408   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00924   408   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00925   408   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00926   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00927   408   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00928   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00929   408   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00930   408   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00931   408   NtClose  (136, ... ) == 0x0
 00932   408   NtClose  (132, ... ) == 0x0
 00933   408   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00934   408   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00935   408   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00936   408   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 00937   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00938   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00939   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00940   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00941   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235664,  (0xc0100080, {24, 0, 0x40, 0, 1235664, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00942   408   NtSetInformationFile  (148, 1235720, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00943   408   NtSetInformationFile  (148, 1235712, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00944   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00945   408   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00946   408   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 00947   408   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 00948   408   NtClose  (144, ... ) == 0x0
 00949   408   NtClose  (148, ... ) == 0x0
 00950   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235708, ... ) }, 1235708, ... ) == 0x0
 00951   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00952   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00953   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 00954   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00955   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00956   408   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 00957   408   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00958   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00959   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00960   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00962   408   NtQueryValueKey  (144,  (144, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   408   NtClose  (144, ... ) == 0x0
 00964   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00965   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00966   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00968   408   NtQueryValueKey  (144,  (144, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   408   NtClose  (144, ... ) == 0x0
 00970   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00971   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00972   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00974   408   NtQueryValueKey  (144,  (144, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   408   NtClose  (144, ... ) == 0x0
 00976   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00977   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00978   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00980   408   NtQueryValueKey  (144,  (144, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   408   NtClose  (144, ... ) == 0x0
 00982   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00984   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00985   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00987   408   NtQueryValueKey  (144,  (144, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   408   NtClose  (144, ... ) == 0x0
 00989   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00990   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00991   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00993   408   NtQueryValueKey  (144,  (144, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   408   NtClose  (144, ... ) == 0x0
 00995   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00996   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 00997   408   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00998   408   NtClose  (144, ... ) == 0x0
 00999   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01000   408   NtSetInformationObject  (146, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01001   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01002   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 152, ) }, ... 152, ) == 0x0
 01004   408   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01005   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01006   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01007   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01008   408   NtClose  (156, ... ) == 0x0
 01009   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   408   NtQueryValueKey  (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01011   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233436, ... ) }, 1233436, ... ) == 0x0
 01012   408   NtClose  (154, ... ) == 0x0
 01013   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01014   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 152, ) }, ... 152, ) == 0x0
 01016   408   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 01017   408   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01018   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01019   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01020   408   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01021   408   NtClose  (156, ... ) == 0x0
 01022   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   408   NtEnumerateKey  (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01024   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01025   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 156, ) }, ... 156, ) == 0x0
 01027   408   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01028   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01029   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01030   408   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01031   408   NtClose  (160, ... ) == 0x0
 01032   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   408   NtQueryValueKey  (158,  (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01034   408   NtClose  (158, ... ) == 0x0
 01035   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01036   408   NtEnumerateKey  (154, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01037   408   NtClose  (154, ... ) == 0x0
 01038   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01039   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01040   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 156, ) }, ... 156, ) == 0x0
 01041   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01043   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01045   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 160, ) }, ... 160, ) == 0x0
 01047   408   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01048   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01049   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01050   408   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01051   408   NtClose  (164, ... ) == 0x0
 01052   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   408   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01054   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01055   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 164, ) }, ... 164, ) == 0x0
 01057   408   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01058   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01059   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01060   408   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01061   408   NtClose  (168, ... ) == 0x0
 01062   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   408   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   408   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01065   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01066   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01067   408   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01068   408   NtClose  (168, ... ) == 0x0
 01069   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   408   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 01071   408   NtClose  (166, ... ) == 0x0
 01072   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01073   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01074   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01076   408   NtQueryValueKey  (164,  (164, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   408   NtClose  (164, ... ) == 0x0
 01078   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01079   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01080   408   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01081   408   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01082   408   NtClose  (164, ... ) == 0x0
 01083   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01084   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01085   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01087   408   NtQueryValueKey  (164,  (164, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   408   NtClose  (164, ... ) == 0x0
 01089   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01090   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01091   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01093   408   NtQueryValueKey  (164,  (164, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   408   NtClose  (164, ... ) == 0x0
 01095   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01096   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01097   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01099   408   NtQueryValueKey  (164,  (164, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   408   NtClose  (164, ... ) == 0x0
 01101   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01102   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01103   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01105   408   NtQueryValueKey  (164,  (164, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   408   NtClose  (164, ... ) == 0x0
 01107   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01108   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01109   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01110   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01111   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01113   408   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   408   NtClose  (164, ... ) == 0x0
 01115   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01116   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01117   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01119   408   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   408   NtClose  (164, ... ) == 0x0
 01121   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01122   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01123   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01125   408   NtQueryValueKey  (164,  (164, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   408   NtClose  (164, ... ) == 0x0
 01127   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01128   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01129   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01130   408   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 164, ) }, ... 164, ) == 0x0
 01131   408   NtQueryValueKey  (164,  (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01132   408   NtQueryValueKey  (164,  (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01133   408   NtQueryValueKey  (164,  (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01134   408   NtQueryValueKey  (164,  (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   408   NtQueryValueKey  (164,  (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   408   NtQueryValueKey  (164,  (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01137   408   NtQueryValueKey  (164,  (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01139   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01140   408   NtQueryValueKey  (164,  (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01141   408   NtQueryValueKey  (164,  (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   408   NtQueryValueKey  (164,  (164, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   408   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   408   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   408   NtClose  (164, ... ) == 0x0
 01146   408   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01147   408   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01148   408   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01149   408   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01150   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01152   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   408   NtClose  (172, ... ) == 0x0
 01154   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   408   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01157   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01160   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 172, ) }, ... 172, ) == 0x0
 01162   408   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01163   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01164   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01165   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01166   408   NtClose  (176, ... ) == 0x0
 01167   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   408   NtQueryValueKey  (174,  (174, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   408   NtClose  (174, ... ) == 0x0
 01170   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01171   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01172   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01173   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01174   408   NtClose  (172, ... ) == 0x0
 01175   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   408   NtQueryValueKey  (170,  (170, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01178   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01179   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01180   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01181   408   NtClose  (172, ... ) == 0x0
 01182   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   408   NtQueryValueKey  (170,  (170, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   408   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01185   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01186   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01187   408   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01188   408   NtClose  (172, ... ) == 0x0
 01189   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   408   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01192   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 172, ) }, ... 172, ) == 0x0
 01194   408   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01195   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01196   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01197   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   408   NtClose  (176, ... ) == 0x0
 01199   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   408   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01202   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01203   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01204   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01205   408   NtClose  (176, ... ) == 0x0
 01206   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   408   NtQueryValueKey  (170,  (170, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01209   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01211   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   408   NtClose  (176, ... ) == 0x0
 01213   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   408   NtQueryValueKey  (170,  (170, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   408   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01216   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01217   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01218   408   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01219   408   NtClose  (176, ... ) == 0x0
 01220   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   408   NtQueryValueKey  (170,  (170, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   408   NtClose  (162, ... ) == 0x0
 01223   408   NtClose  (170, ... ) == 0x0
 01224   408   NtClose  (174, ... ) == 0x0
 01225   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01226   408   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01227   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01228   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01229   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01230   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01231   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01232   408   NtQueryValueKey  (168,  (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01233   408   NtClose  (168, ... ) == 0x0
 01234   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01235   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01236   408   NtSetValueKey  (168,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01237   408   NtClose  (168, ... ) == 0x0
 01238   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01239   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01240   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 160, ) == 0x0
 01241   408   NtClose  (168, ... ) == 0x0
 01242   408   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01243   408   NtClose  (160, ... ) == 0x0
 01244   408   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01245   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01246   408   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   408   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == 0x0
 01251   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01252   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 168, ) == 0x0
 01253   408   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01254   408   NtClose  (160, ... ) == 0x0
 01255   408   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01256   408   NtClose  (168, ... ) == 0x0
 01257   408   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 01258   408   NtQueryDefaultLocale  (1, 1233480, ... ) == 0x0
 01259   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01260   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01261   408   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01262   408   NtClose  (168, ... ) == 0x0
 01263   408   NtUserGetProcessWindowStation  (... ) == 0x28
 01264   408   NtUserGetObjectInformation  (40, 1, 1233152, 12, 1233164, ... ) == 0x1
 01265   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 168, ) }, ... 168, ) == 0x0
 01266   408   NtQueryValueKey  (168,  (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01267   408   NtClose  (168, ... ) == 0x0
 01268   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01269   408   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01270   408   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01271   408   NtClose  (168, ... ) == 0x0
 01272   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01273   408   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01274   408   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01275   408   NtClose  (168, ... ) == 0x0
 01276   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01277   408   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01278   408   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01279   408   NtClose  (168, ... ) == 0x0
 01280   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01281   408   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01282   408   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01283   408   NtClose  (168, ... ) == 0x0
 01284   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01285   408   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01286   408   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01287   408   NtClose  (168, ... ) == 0x0
 01288   408   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 01289   408   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 168, ) }, ... 168, ) == 0x0
 01290   408   NtQueryValueKey  (168,  (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01291   408   NtClose  (168, ... ) == 0x0
 01292   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01293   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 160, ) == 0x0
 01294   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01295   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 180, ) == 0x0
 01296   408   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01297   408   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01298   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01299   408   NtQueryValueKey  (192,  (192, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   408   NtQueryValueKey  (192,  (192, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   408   NtOpenKey  (0x1, {24, 192, 0x40, 0, 0,  (0x1, {24, 192, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   408   NtClose  (192, ... ) == 0x0
 01303   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233072, ... ) }, 1233072, ... ) == 0x0
 01304   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 192, ) }, ... 192, ) == 0x0
 01305   408   NtQueryValueKey  (192,  (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01306   408   NtClose  (192, ... ) == 0x0
 01307   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01308   408   NtQueryValueKey  (192,  (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01309   408   NtClose  (192, ... ) == 0x0
 01310   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01312   408   NtQueryValueKey  (192,  (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01313   408   NtClose  (192, ... ) == 0x0
 01314   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01315   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01316   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01317   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01318   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01319   408   NtSetInformationFile  (196, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01320   408   NtSetInformationFile  (196, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01321   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01322   408   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01323   408   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01324   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20t\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01325   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01326   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0S\6\360\307\3625\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01327   408   NtClose  (192, ... ) == 0x0
 01328   408   NtClose  (196, ... ) == 0x0
 01329   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01330   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01331   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01332   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01333   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   408   NtSetInformationFile  (192, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01335   408   NtSetInformationFile  (192, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01336   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01337   408   NtWriteFile  (192, 125, 0, 0,  (192, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01338   408   NtReadFile  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01339   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01340   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01341   408   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0T\6\360\307\3625\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01342   408   NtClose  (196, ... ) == 0x0
 01343   408   NtClose  (192, ... ) == 0x0
 01344   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01345   408   NtOpenProcessToken  (-1, 0x20, ... 192, ) == 0x0
 01346   408   NtAdjustPrivilegesToken  (192, 0, 1482976, 0, 0, 0, ... ) == 0x0
 01347   408   NtClose  (192, ... ) == 0x0
 01348   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01349   408   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01350   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01351   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01352   408   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234092,  (0xc0100080, {24, 0, 0x40, 0, 1234092, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01353   408   NtSetInformationFile  (196, 1234148, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01354   408   NtSetInformationFile  (196, 1234140, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01355   408   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01356   408   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01357   408   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01358   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20u!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01359   408   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01360   408   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01361   408   NtAdjustPrivilegesToken  (200, 0, 1483056, 0, 0, 0, ... ) == 0x0
 01362   408   NtClose  (200, ... ) == 0x0
 01363   408   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01364   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01365   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01366   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01367   408   NtClose  (204, ... ) == 0x0
 01368   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369   408   NtClose  (200, ... ) == 0x0
 01370   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=1}, ) }, 3, 16, ... 200, {status=0x0, info=1}, ) == 0x0
 01371   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01372   408   NtClose  (200, ... ) == 0x0
 01373   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01374   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01375   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01376   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01377   408   NtClose  (-2147482208, ... ) == 0x0
 01375   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01378   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01379   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01380   408   NtClose  (-2147482208, ... ) == 0x0
 01378   408   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\15\201\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01381   408   NtClose  (200, ... ) == 0x0
 01382   408   NtAllocateVirtualMemory  (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0
 01383   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01384   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01385   408   NtClose  (200, ... ) == 0x0
 01386   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01387   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01388   408   NtClose  (204, ... ) == 0x0
 01389   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01390   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01391   408   NtClose  (204, ... ) == 0x0
 01392   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01393   408   NtClose  (200, ... ) == 0x0
 01394   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01395   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01396   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01397   408   NtClose  (204, ... ) == 0x0
 01398   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01399   408   NtClose  (200, ... ) == 0x0
 01400   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01401   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01402   408   NtClose  (200, ... ) == 0x0
 01403   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01404   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01405   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01406   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01407   408   NtClose  (-2147482208, ... ) == 0x0
 01405   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01408   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01409   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01410   408   NtClose  (-2147482208, ... ) == 0x0
 01408   408   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01411   408   NtClose  (200, ... ) == 0x0
 01412   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01413   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01414   408   NtClose  (200, ... ) == 0x0
 01415   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01416   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01417   408   NtClose  (204, ... ) == 0x0
 01418   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01419   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01420   408   NtClose  (204, ... ) == 0x0
 01421   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   408   NtClose  (200, ... ) == 0x0
 01423   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01424   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01425   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01426   408   NtClose  (204, ... ) == 0x0
 01427   408   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01428   408   NtClose  (200, ... ) == 0x0
 01429   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01430   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01431   408   NtClose  (200, ... ) == 0x0
 01432   408   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01433   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01434   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01435   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01436   408   NtClose  (-2147482208, ... ) == 0x0
 01434   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01437   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01438   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01439   408   NtClose  (-2147482208, ... ) == 0x0
 01437   408   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01440   408   NtClose  (200, ... ) == 0x0
 01441   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01442   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01443   408   NtClose  (200, ... ) == 0x0
 01444   408   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01445   408   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\214\1\0\0\230\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\214\1\0\0\230\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01446   408   NtClose  (204, ... ) == 0x0
 01447   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01448   408   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01449   408   NtClose  (204, ... ) == 0x0
 01450   408   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01451   408   NtClose  (200, ... ) == 0x0
 01452   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01453   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01454   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01455   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01456   408   NtClose  (-2147482208, ... ) == 0x0
 01454   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01457   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01458   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01459   408   NtClose  (-2147482208, ... ) == 0x0
 01457   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01460   408   NtClose  (200, ... ) == 0x0
 01461   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01462   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01463   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01464   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01465   408   NtClose  (-2147482208, ... ) == 0x0
 01463   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01466   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01467   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01468   408   NtClose  (-2147482208, ... ) == 0x0
 01466   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01469   408   NtClose  (200, ... ) == 0x0
 01470   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01471   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01472   408   NtClose  (200, ... ) == 0x0
 01473   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01475   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01479   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01482   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01483   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01484   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01485   408   NtClose  (-2147482208, ... ) == 0x0
 01483   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01486   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01487   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01488   408   NtClose  (-2147482208, ... ) == 0x0
 01486   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01489   408   NtClose  (200, ... ) == 0x0
 01490   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01491   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01492   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01493   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01494   408   NtClose  (-2147482208, ... ) == 0x0
 01492   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01495   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01496   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01497   408   NtClose  (-2147482208, ... ) == 0x0
 01495   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01498   408   NtClose  (200, ... ) == 0x0
 01499   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01500   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01501   408   NtClose  (200, ... ) == 0x0
 01502   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01504   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01508   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01511   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01512   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01513   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01514   408   NtClose  (-2147482208, ... ) == 0x0
 01512   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01515   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01516   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01517   408   NtClose  (-2147482208, ... ) == 0x0
 01515   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01518   408   NtClose  (200, ... ) == 0x0
 01519   408   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01520   408   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01521   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01522   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01523   408   NtClose  (-2147482208, ... ) == 0x0
 01521   408   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01524   408   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01525   408   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01526   408   NtClose  (-2147482208, ... ) == 0x0
 01524   408   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01527   408   NtClose  (200, ... ) == 0x0
 01528   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01529   408   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01530   408   NtClose  (200, ... ) == 0x0
 01531   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01533   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01537   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01540   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01541   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01542   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 204, ) }, ... 204, ) == 0x0
 01543   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\F:00000000000091d2", 66, ) , 66, ) == 0x0
 01544   408   NtClose  (204, ... ) == 0x0
 01545   408   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01546   408   NtClose  (200, ... ) == 0x0
 01547   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01548   408   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01549   408   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 204, ) }, ... 204, ) == 0x0
 01550   408   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\U:00000000000091d2", 66, ) , 66, ) == 0x0
 01551   408   NtClose  (204, ... ) == 0x0
 01552   408   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01553   408   NtClose  (200, ... ) == 0x0
 01554   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01555   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01556   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01557   408   NtClose  (200, ... ) == 0x0
 01558   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   408   NtClose  (204, ... ) == 0x0
 01560   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01561   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01562   408   NtClose  (204, ... ) == 0x0
 01563   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01564   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 204, ) }, ... 204, ) == 0x0
 01566   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01567   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01568   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01569   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01570   408   NtClose  (200, ... ) == 0x0
 01571   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01574   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01575   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01576   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01577   408   NtClose  (200, ... ) == 0x0
 01578   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   408   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01580   408   NtClose  (206, ... ) == 0x0
 01581   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01582   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01583   408   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01584   408   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01585   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01586   408   NtAllocateVirtualMemory  (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0
 01587   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01588   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01589   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01590   408   NtClose  (204, ... ) == 0x0
 01591   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01594   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01595   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01596   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01597   408   NtClose  (204, ... ) == 0x0
 01598   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   408   NtQueryValueKey  (202,  (202, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01601   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01602   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01603   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01604   408   NtClose  (204, ... ) == 0x0
 01605   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   408   NtQueryValueKey  (202,  (202, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01608   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01610   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   408   NtClose  (204, ... ) == 0x0
 01612   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 204, ) }, ... 204, ) == 0x0
 01617   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01618   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01620   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   408   NtClose  (208, ... ) == 0x0
 01622   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01625   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01626   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01627   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01628   408   NtClose  (208, ... ) == 0x0
 01629   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   408   NtQueryValueKey  (202,  (202, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01632   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01633   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01634   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01635   408   NtClose  (208, ... ) == 0x0
 01636   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   408   NtQueryValueKey  (202,  (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01638   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01639   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01640   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01641   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01642   408   NtClose  (208, ... ) == 0x0
 01643   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   408   NtQueryValueKey  (202,  (202, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   408   NtClose  (202, ... ) == 0x0
 01646   408   NtClose  (206, ... ) == 0x0
 01647   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01648   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01649   408   NtClose  (204, ... ) == 0x0
 01650   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01651   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01652   408   NtClose  (204, ... ) == 0x0
 01653   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01654   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01655   408   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01656   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01657   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01658   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01659   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01660   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01661   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01662   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01663   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01664   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01665   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01666   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01667   408   NtClose  (204, ... ) == 0x0
 01668   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01669   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01670   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01671   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01672   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01673   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01674   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01675   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01676   408   NtClose  (204, ... ) == 0x0
 01677   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01678   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01679   408   NtClose  (204, ... ) == 0x0
 01680   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01683   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   408   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 01686   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01687   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01688   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01689   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01690   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01691   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01692   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01693   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01694   408   NtClose  (204, ... ) == 0x0
 01695   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01696   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01697   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01698   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01699   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01700   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01701   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01702   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01703   408   NtClose  (204, ... ) == 0x0
 01704   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01705   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01706   408   NtClose  (204, ... ) == 0x0
 01707   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01708   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01709   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 01710   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01711   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01712   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01713   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01714   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01715   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01716   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01717   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01718   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01719   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01720   408   NtClose  (204, ... ) == 0x0
 01721   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01722   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01723   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01724   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01725   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01726   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01727   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01728   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01729   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01730   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01731   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01732   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01733   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01734   408   NtClose  (204, ... ) == 0x0
 01735   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01736   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01737   408   NtClose  (204, ... ) == 0x0
 01738   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01739   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01740   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01741   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01742   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01743   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01744   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01745   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01746   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01747   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01748   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01749   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01750   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01751   408   NtClose  (204, ... ) == 0x0
 01752   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01753   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01754   408   NtClose  (204, ... ) == 0x0
 01755   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01756   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01757   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01758   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01759   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01760   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01761   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01762   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01763   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01764   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01765   408   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01766   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01767   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01768   408   NtClose  (204, ... ) == 0x0
 01769   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01770   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01771   408   NtClose  (204, ... ) == 0x0
 01772   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01773   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01774   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01775   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01776   408   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01777   408   NtQueryValueKey  (204,  (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01778   408   NtClose  (204, ... ) == 0x0
 01779   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01780   408   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01781   408   NtSetValueKey  (204,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01782   408   NtClose  (204, ... ) == 0x0
 01783   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01784   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01785   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01786   408   NtClose  (204, ... ) == 0x0
 01787   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01788   408   NtClose  (200, ... ) == 0x0
 01789   408   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01790   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01791   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01792   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01793   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01794   408   NtClose  (200, ... ) == 0x0
 01795   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01796   408   NtClose  (204, ... ) == 0x0
 01797   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01798   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01799   408   NtClose  (204, ... ) == 0x0
 01800   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01801   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01802   408   NtClose  (204, ... ) == 0x0
 01803   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01804   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01805   408   NtClose  (204, ... ) == 0x0
 01806   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229200, ... ) }, 1229200, ... ) == 0x0
 01809   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01810   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01811   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01812   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01813   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01814   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01815   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01816   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01817   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01818   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01819   408   NtClose  (204, ... ) == 0x0
 01820   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01821   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01822   408   NtClose  (204, ... ) == 0x0
 01823   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01824   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01825   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 01826   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01829   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01830   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01831   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01832   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01833   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01834   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01835   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01836   408   NtClose  (204, ... ) == 0x0
 01837   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01838   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01839   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01840   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01841   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01842   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01843   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01844   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01845   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01846   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01847   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01848   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01849   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01850   408   NtClose  (204, ... ) == 0x0
 01851   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01852   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01853   408   NtClose  (204, ... ) == 0x0
 01854   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01855   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01856   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01857   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01858   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01859   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01860   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01861   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01862   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01863   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01864   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01865   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01866   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01867   408   NtClose  (204, ... ) == 0x0
 01868   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01869   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01870   408   NtClose  (204, ... ) == 0x0
 01871   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01874   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   408   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01877   408   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01878   408   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   408   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01880   408   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01881   408   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01882   408   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01883   408   NtUnlockFile  (204, {0, 0}, {-1, -1}, 408, ... ) == STATUS_RANGE_NOT_LOCKED
 01884   408   NtClose  (204, ... ) == 0x0
 01885   408   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01886   408   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01887   408   NtClose  (204, ... ) == 0x0
 01888   408   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 01889   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01890   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01891   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01892   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01893   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01894   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01895   408   NtQueryValueKey  (204,  (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01896   408   NtClose  (204, ... ) == 0x0
 01897   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01898   408   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01899   408   NtSetValueKey  (204,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01900   408   NtClose  (204, ... ) == 0x0
 01901   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01902   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01903   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01904   408   NtClose  (204, ... ) == 0x0
 01905   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01906   408   NtClose  (200, ... ) == 0x0
 01907   408   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01908   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01909   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01910   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01911   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01912   408   NtClose  (200, ... ) == 0x0
 01913   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01914   408   NtClose  (204, ... ) == 0x0
 01915   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01916   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1,  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01917   408   NtClose  (204, ... ) == 0x0
 01918   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01919   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01920   408   NtClose  (204, ... ) == 0x0
 01921   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01922   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01923   408   NtClose  (204, ... ) == 0x0
 01924   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01925   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01926   408   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01927   408   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01928   408   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01929   408   NtQueryValueKey  (204,  (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01930   408   NtClose  (204, ... ) == 0x0
 01931   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01932   408   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01933   408   NtSetValueKey  (204,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 01934   408   NtClose  (204, ... ) == 0x0
 01935   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01936   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01937   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01938   408   NtClose  (204, ... ) == 0x0
 01939   408   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01940   408   NtClose  (200, ... ) == 0x0
 01941   408   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01942   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01943   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01944   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01945   408   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01946   408   NtClose  (200, ... ) == 0x0
 01947   408   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01948   408   NtClose  (204, ... ) == 0x0
 01949   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01950   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01951   408   NtClose  (204, ... ) == 0x0
 01952   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01953   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01954   408   NtClose  (204, ... ) == 0x0
 01955   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01956   408   NtQueryDirectoryFile  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01957   408   NtClose  (204, ... ) == 0x0
 01958   408   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 204, ) }, ... 204, ) == 0x0
 01959   408   NtEnumerateValueKey  (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01960   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01961   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01963   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01964   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01965   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01966   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01967   408   NtClose  (208, ... ) == 0x0
 01968   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   408   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01970   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01971   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01972   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01973   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01974   408   NtClose  (208, ... ) == 0x0
 01975   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   408   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   408   NtClose  (202, ... ) == 0x0
 01978   408   NtEnumerateValueKey  (204, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01979   408   NtClose  (204, ... ) == 0x0
 01980   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01981   408   NtQueryValueKey  (204,  (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01982   408   NtClose  (204, ... ) == 0x0
 01983   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 01986   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01987   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01988   408   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01989   408   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01990   408   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01991   408   NtClose  (204, ... ) == 0x0
 01992   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01995   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 01997   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 01999   408   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02000   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02001   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02002   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02003   408   NtClose  (200, ... ) == 0x0
 02004   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   408   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02006   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02007   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 200, ) }, ... 200, ) == 0x0
 02009   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02010   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02012   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   408   NtClose  (208, ... ) == 0x0
 02014   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02017   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02018   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02019   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02020   408   NtClose  (208, ... ) == 0x0
 02021   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   408   NtOpenKey  (0x2000000, {24, 202, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 02023   408   NtClose  (202, ... ) == 0x0
 02024   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02025   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02027   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   408   NtClose  (200, ... ) == 0x0
 02029   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   408   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02032   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02033   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02034   408   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02035   408   NtClose  (200, ... ) == 0x0
 02036   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   408   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02039   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02042   408   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02044   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02045   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02047   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   408   NtClose  (212, ... ) == 0x0
 02049   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   408   NtQueryValueKey  (202,  (202, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   408   NtClose  (202, ... ) == 0x0
 02052   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02053   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 200, ) }, ... 200, ) == 0x0
 02055   408   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02056   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02057   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02058   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02059   408   NtClose  (212, ... ) == 0x0
 02060   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   408   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   408   NtClose  (206, ... ) == 0x0
 02063   408   NtClose  (210, ... ) == 0x0
 02064   408   NtClose  (202, ... ) == 0x0
 02065   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02066   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   408   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02068   408   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02070   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02072   408   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02073   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02075   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   408   NtClose  (208, ... ) == 0x0
 02077   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   408   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02079   408   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02080   408   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02082   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02083   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02085   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   408   NtClose  (204, ... ) == 0x0
 02087   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   408   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02090   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02091   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02092   408   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02093   408   NtClose  (204, ... ) == 0x0
 02094   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   408   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 02096   408   NtClose  (210, ... ) == 0x0
 02097   408   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02098   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02099   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02100   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02101   408   NtClose  (208, ... ) == 0x0
 02102   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   408   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "shell"}, ... 208, ) }, ... 208, ) == 0x0
 02104   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02105   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02106   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02107   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02108   408   NtClose  (212, ... ) == 0x0
 02109   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   408   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02112   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02114   408   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   408   NtClose  (212, ... ) == 0x0
 02116   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   408   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "open"}, ... 212, ) }, ... 212, ) == 0x0
 02118   408   NtClose  (210, ... ) == 0x0
 02119   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02120   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02121   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02122   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02123   408   NtClose  (208, ... ) == 0x0
 02124   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02126   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02127   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02128   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02129   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02130   408   NtClose  (216, ... ) == 0x0
 02131   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02133   408   NtClose  (210, ... ) == 0x0
 02134   408   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02136   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02138   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   408   NtClose  (208, ... ) == 0x0
 02140   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02142   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02143   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02144   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02145   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   408   NtClose  (216, ... ) == 0x0
 02147   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   408   NtQueryValueKey  (210,  (210, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   408   NtClose  (210, ... ) == 0x0
 02150   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02152   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02153   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02154   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02155   408   NtClose  (208, ... ) == 0x0
 02156   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02158   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02159   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02160   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02161   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02162   408   NtClose  (216, ... ) == 0x0
 02163   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02165   408   NtClose  (210, ... ) == 0x0
 02166   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02167   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02168   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02169   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02170   408   NtClose  (208, ... ) == 0x0
 02171   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   408   NtUserGetForegroundWindow  (... ) == 0x2005e
 02174   408   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02175   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02176   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02177   408   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02178   408   NtClose  (208, ... ) == 0x0
 02179   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   408   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02181   408   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02182   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02183   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02184   408   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02185   408   NtClose  (216, ... ) == 0x0
 02186   408   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   408   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02188   408   NtClose  (210, ... ) == 0x0
 02189   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02190   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02191   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02193   408   NtQueryValueKey  (208,  (208, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   408   NtClose  (208, ... ) == 0x0
 02195   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02196   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02197   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02199   408   NtQueryValueKey  (208,  (208, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   408   NtClose  (208, ... ) == 0x0
 02201   408   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   408   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   408   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02205   408   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02206   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   408   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02208   408   NtQueryValueKey  (208,  (208, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   408   NtClose  (208, ... ) == 0x0
 02210   408   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   408   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02212   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231308, ... ) }, 1231308, ... ) == 0x0
 02213   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02214   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02215   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02216   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 216, ) }, ... 216, ) == 0x0
 02217   408   NtQueryValueKey  (216,  (216, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   408   NtClose  (216, ... ) == 0x0
 02219   408   NtQueryVolumeInformationFile  (208, 1231308, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02220   408   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 216, ) }, ... 216, ) == 0x0
 02221   408   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02222   408   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 220, ) }, ... 220, ) == 0x0
 02223   408   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 57344, ) == 0x0
 02224   408   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02225   408   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 02226   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229292, ... ) }, 1229292, ... ) == 0x0
 02227   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 02228   408   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 02229   408   NtClose  (224, ... ) == 0x0
 02230   408   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa30000), 0x0, 106496, ) == 0x0
 02231   408   NtClose  (228, ... ) == 0x0
 02232   408   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 02233   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229608, ... ) }, 1229608, ... ) == 0x0
 02234   408   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02235   408   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 02236   408   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02237   408   NtClose  (228, ... ) == 0x0
 02238   408   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02239   408   NtClose  (224, ... ) == 0x0
 02240   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 02241   408   NtQueryInformationFile  (224, 1229896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02242   408   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 02243   408   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa30000), 0x0, 1028096, ) == 0x0
 02244   408   NtQueryInformationFile  (224, 1229992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02245   408   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   408   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02247   408   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02248   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02249   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1,  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02250   408   NtClose  (232, ... ) == 0x0
 02251   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02252   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02253   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226944, ... ) }, 1226944, ... ) == 0x0
 02254   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02255   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02256   408   NtClose  (232, ... ) == 0x0
 02257   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02258   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02259   408   NtClose  (232, ... ) == 0x0
 02260   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02261   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02262   408   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02263   408   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02264   408   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 02265   408   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   408   NtClose  (232, ... ) == 0x0
 02267   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   408   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02270   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02271   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02272   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02273   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02274   408   NtClose  (232, ... ) == 0x0
 02275   408   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02276   408   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02277   408   NtClose  (232, ... ) == 0x0
 02278   408   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02279   408   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02280   408   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02281   408   NtQueryVolumeInformationFile  (208, 1229868, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02282   408   NtQueryInformationFile  (208, 1229848, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02283   408   NtQueryInformationFile  (208, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02284   408   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02285   408   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 02286   408   NtClose  (228, ... ) == 0x0
 02287   408   NtClose  (224, ... ) == 0x0
 02288   408   NtClose  (208, ... ) == 0x0
 02289   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   408   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == 0x0
 02292   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02293   408   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02294   408   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... 224, ) == 0x0
 02295   408   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   408   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02297   408   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   408   NtCreateProcessEx  (1233936, 2035711, 0, -1, 0, 224, 0, 0, 0, ... ) == 0x0
 02299   408   NtSetInformationProcess  (228, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02300   408   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=552,ParentPid=396,}, 0x0, ) == 0x0
 02301   408   NtReadVirtualMemory  (228, 0x7ffdf008, 4, ...  (228, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02302   408   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   408   NtAllocateVirtualMemory  (-1, 1507328, 0, 8192, 4096, 4, ... 1507328, 8192, ) == 0x0
 02304   408   NtReadVirtualMemory  (228, 0x4ad00000, 4096, ...  (228, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02305   408   NtReadVirtualMemory  (228, 0x4ad3b000, 256, ...  (228, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02306   408   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02307   408   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=552,ParentPid=396,}, 0x0, ) == 0x0
 02308   408   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02309   408   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 10682368, 4096, ) == 0x0
 02310   408   NtAllocateVirtualMemory  (228, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02311   408   NtWriteVirtualMemory  (228, 0x10000,  (228, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02312   408   NtAllocateVirtualMemory  (228, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02313   408   NtWriteVirtualMemory  (228, 0x20000,  (228, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02314   408   NtWriteVirtualMemory  (228, 0x7ffdf010,  (228, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02315   408   NtWriteVirtualMemory  (228, 0x7ffdf1e8,  (228, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02316   408   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 02317   408   NtAllocateVirtualMemory  (228, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02318   408   NtAllocateVirtualMemory  (228, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02319   408   NtCreateThread  (0x1f03ff, 0x0, 228, 1232200, 1232920, 1, ... 232, {552, 556}, ) == 0x0
 02320   408   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0(\2\0\0,\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 396, 408, 1455, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0(\2\0\0,\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 396, 408, 1455, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0(\2\0\0,\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 396, 408, 1455, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0(\2\0\0,\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02321   408   NtResumeThread  (232, ... 1, ) == 0x0
 02322   408   NtClose  (208, ... ) == 0x0
 02323   408   NtClose  (224, ... ) == 0x0
 02324   408   NtClose  (214, ... ) == 0x0
 02325   408   NtClose  (202, ... ) == 0x0
 02326   408   NtClose  (206, ... ) == 0x0
 02327   408   NtClose  (228, ... ) == 0x0
 02328   408   NtClose  (232, ... ) == 0x0
 02329   408   NtUserDestroyWindow  (131252, ...
 02330   408   NtUserRemoveProp  (131252, 43288, ... ) == 0xffffffff
 02331   408   NtUserRemoveProp  (131252, 43282, ... ) == 0x0
 02332   408   NtUserRemoveProp  (131252, 43287, ... ) == 0x0
 02329   408   NtUserDestroyWindow  ... ) == 0x1
 02333   408   NtUserUnregisterClass  (1237380, 1998258176, 1237368, ... ) == 0x1
 02334   408   NtTerminateProcess  (0, 0, ... ) == 0x0
 02335   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02336   408   NtWaitForMultipleObjects  (2, (168, 160, ), 1, 0, 0x0, ... ) == 0x1
 02337   408   NtClose  (160, ... ) == 0x0
 02338   408   NtSetEvent  (168, ... 0x0, ) == 0x0
 02339   408   NtClose  (168, ... ) == 0x0
 02340   408   NtWaitForMultipleObjects  (2, (176, 180, ), 1, 0, 0x0, ... ) == 0x1
 02341   408   NtClose  (180, ... ) == 0x0
 02342   408   NtSetEvent  (176, ... 0x0, ) == 0x0
 02343   408   NtClose  (176, ... ) == 0x0
 02344   408   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02345   408   NtClose  (188, ... ) == 0x0
 02346   408   NtSetEvent  (184, ... 0x0, ) == 0x0
 02347   408   NtClose  (184, ... ) == 0x0
 02348   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02349   408   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 02350   408   NtClose  (108, ... ) == 0x0
 02351   408   NtGdiDeleteObjectApp  (34604062, ... ) == 0x1
 02352   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02353   408   NtUserBuildNameList  (40, 256, 1392264, 1241844, ... ) == 0x0
 02354   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02355   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 02356   408   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x100ac, 0x100aa, 0x100a8, 0x20060, 0x100a2, 0x10082, 0x10076, 0x1006a, 0x30046, 0x10068, 0x10066, 0x30038, 0x1009a, 0x1008e, 0x1007e, 0x10026, 0x300b4, 0x100c0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b2, 0x100b0, 0x2005e, 0x100ae, 0x2005c, 0x1006e, 0x5004a, 0x4004e, 0x50048, 0x10080, 0x10078, 0x1, ), 35, ) == 0x0
 02357   408   NtUserQueryWindow  (65708, 0, ... ) == 0xc8
 02358   408   NtUserQueryWindow  (65708, 1, ... ) == 0xa4
 02359   408   NtUserQueryWindow  (65706, 0, ... ) == 0xc8
 02360   408   NtUserQueryWindow  (65706, 1, ... ) == 0xa4
 02361   408   NtUserQueryWindow  (65704, 0, ... ) == 0xc8
 02362   408   NtUserQueryWindow  (65704, 1, ... ) == 0xa4
 02363   408   NtUserQueryWindow  (131168, 0, ... ) == 0xc8
 02364   408   NtUserQueryWindow  (131168, 1, ... ) == 0xa4
 02365   408   NtUserQueryWindow  (65698, 0, ... ) == 0x7d0
 02366   408   NtUserQueryWindow  (65698, 1, ... ) == 0x7dc
 02367   408   NtUserQueryWindow  (65666, 0, ... ) == 0x7d0
 02368   408   NtUserQueryWindow  (65666, 1, ... ) == 0x7dc
 02369   408   NtUserBuildHwndList  (0, 65666, 1, 0, 64, ... (0x10084, 0x10088, 0x1008a, 0x1008c, 0x10090, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009c, 0x1009e, 0x100a0, 0x1, ), 13, ) == 0x0
 02370   408   NtUserQueryWindow  (65668, 0, ... ) == 0x7d0
 02371   408   NtUserQueryWindow  (65668, 1, ... ) == 0x7dc
 02372   408   NtUserQueryWindow  (65672, 0, ... ) == 0x7d0
 02373   408   NtUserQueryWindow  (65672, 1, ... ) == 0x7dc
 02374   408   NtUserQueryWindow  (65674, 0, ... ) == 0x7d0
 02375   408   NtUserQueryWindow  (65674, 1, ... ) == 0x7dc
 02376   408   NtUserQueryWindow  (65676, 0, ... ) == 0x7d0
 02377   408   NtUserQueryWindow  (65676, 1, ... ) == 0x7dc
 02378   408   NtUserQueryWindow  (65680, 0, ... ) == 0x7d0
 02379   408   NtUserQueryWindow  (65680, 1, ... ) == 0x7dc
 02380   408   NtUserQueryWindow  (65682, 0, ... ) == 0x7d0
 02381   408   NtUserQueryWindow  (65682, 1, ... ) == 0x7dc
 02382   408   NtUserQueryWindow  (65684, 0, ... ) == 0x7d0
 02383   408   NtUserQueryWindow  (65684, 1, ... ) == 0x7dc
 02384   408   NtUserQueryWindow  (65686, 0, ... ) == 0x7d0
 02385   408   NtUserQueryWindow  (65686, 1, ... ) == 0x7dc
 02386   408   NtUserQueryWindow  (65688, 0, ... ) == 0x7d0
 02387   408   NtUserQueryWindow  (65688, 1, ... ) == 0x7dc
 02388   408   NtUserQueryWindow  (65692, 0, ... ) == 0x7d0
 02389   408   NtUserQueryWindow  (65692, 1, ... ) == 0x7dc
 02390   408   NtUserQueryWindow  (65694, 0, ... ) == 0x7d0
 02391   408   NtUserQueryWindow  (65694, 1, ... ) == 0x7dc
 02392   408   NtUserQueryWindow  (65696, 0, ... ) == 0x7d0
 02393   408   NtUserQueryWindow  (65696, 1, ... ) == 0x7dc
 02394   408   NtUserQueryWindow  (65654, 0, ... ) == 0x7d0
 02395   408   NtUserQueryWindow  (65654, 1, ... ) == 0x7dc
 02396   408   NtUserQueryWindow  (65642, 0, ... ) == 0x7d0
 02397   408   NtUserQueryWindow  (65642, 1, ... ) == 0x7dc
 02398   408   NtUserQueryWindow  (196678, 0, ... ) == 0x7d0
 02399   408   NtUserQueryWindow  (196678, 1, ... ) == 0x7dc
 02400   408   NtUserQueryWindow  (65640, 0, ... ) == 0x7d0
 02401   408   NtUserQueryWindow  (65640, 1, ... ) == 0x7dc
 02402   408   NtUserQueryWindow  (65638, 0, ... ) == 0x7d0
 02403   408   NtUserQueryWindow  (65638, 1, ... ) == 0x7dc
 02404   408   NtUserQueryWindow  (196664, 0, ... ) == 0x7d0
 02405   408   NtUserQueryWindow  (196664, 1, ... ) == 0x7dc
 02406   408   NtUserBuildHwndList  (0, 196664, 1, 0, 64, ... (0x3003c, 0x3003a, 0x3003e, 0x30040, 0x30042, 0x30044, 0x1006c, 0x10070, 0x10074, 0x1, ), 10, ) == 0x0
 02407   408   NtUserQueryWindow  (196668, 0, ... ) == 0x7d0
 02408   408   NtUserQueryWindow  (196668, 1, ... ) == 0x7dc
 02409   408   NtUserQueryWindow  (196666, 0, ... ) == 0x7d0
 02410   408   NtUserQueryWindow  (196666, 1, ... ) == 0x7dc
 02411   408   NtUserQueryWindow  (196670, 0, ... ) == 0x7d0
 02412   408   NtUserQueryWindow  (196670, 1, ... ) == 0x7dc
 02413   408   NtUserQueryWindow  (196672, 0, ... ) == 0x7d0
 02414   408   NtUserQueryWindow  (196672, 1, ... ) == 0x7dc
 02415   408   NtUserQueryWindow  (196674, 0, ... ) == 0x7d0
 02416   408   NtUserQueryWindow  (196674, 1, ... ) == 0x7dc
 02417   408   NtUserQueryWindow  (196676, 0, ... ) == 0x7d0
 02418   408   NtUserQueryWindow  (196676, 1, ... ) == 0x7dc
 02419   408   NtUserQueryWindow  (65644, 0, ... ) == 0x7d0
 02420   408   NtUserQueryWindow  (65644, 1, ... ) == 0x7dc
 02421   408   NtUserQueryWindow  (65648, 0, ... ) == 0x7d0
 02422   408   NtUserQueryWindow  (65648, 1, ... ) == 0x7dc
 02423   408   NtUserQueryWindow  (65652, 0, ... ) == 0x7d0
 02424   408   NtUserQueryWindow  (65652, 1, ... ) == 0x7dc
 02425   408   NtUserQueryWindow  (65690, 0, ... ) == 0x7d0
 02426   408   NtUserQueryWindow  (65690, 1, ... ) == 0x7dc
 02427   408   NtUserQueryWindow  (65678, 0, ... ) == 0x7d0
 02428   408   NtUserQueryWindow  (65678, 1, ... ) == 0x7dc
 02429   408   NtUserQueryWindow  (65662, 0, ... ) == 0x7d0
 02430   408   NtUserQueryWindow  (65662, 1, ... ) == 0x7d4
 02431   408   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02432   408   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02433   408   NtUserQueryWindow  (196788, 0, ... ) == 0x228
 02434   408   NtUserQueryWindow  (196788, 1, ... ) == 0x22c
 02435   408   NtUserQueryWindow  (65728, 0, ... ) == 0xcc
 02436   408   NtUserQueryWindow  (65728, 1, ... ) == 0xd0
 02437   408   NtUserQueryWindow  (65726, 0, ... ) == 0xcc
 02438   408   NtUserQueryWindow  (65726, 1, ... ) == 0xd0
 02439   408   NtUserQueryWindow  (65724, 0, ... ) == 0xcc
 02440   408   NtUserQueryWindow  (65724, 1, ... ) == 0xd0
 02441   408   NtUserQueryWindow  (65722, 0, ... ) == 0xcc
 02442   408   NtUserQueryWindow  (65722, 1, ... ) == 0xd0
 02443   408   NtUserQueryWindow  (65720, 0, ... ) == 0xcc
 02444   408   NtUserQueryWindow  (65720, 1, ... ) == 0xd0
 02445   408   NtUserQueryWindow  (65718, 0, ... ) == 0xcc
 02446   408   NtUserQueryWindow  (65718, 1, ... ) == 0xd0
 02447   408   NtUserQueryWindow  (65714, 0, ... ) == 0xcc
 02448   408   NtUserQueryWindow  (65714, 1, ... ) == 0xd0
 02449   408   NtUserQueryWindow  (65712, 0, ... ) == 0xcc
 02450   408   NtUserQueryWindow  (65712, 1, ... ) == 0xd0
 02451   408   NtUserQueryWindow  (131166, 0, ... ) == 0xdc
 02452   408   NtUserQueryWindow  (131166, 1, ... ) == 0xe0
 02453   408   NtUserQueryWindow  (65710, 0, ... ) == 0xc8
 02454   408   NtUserQueryWindow  (65710, 1, ... ) == 0xa4
 02455   408   NtUserQueryWindow  (131164, 0, ... ) == 0xc0
 02456   408   NtUserQueryWindow  (131164, 1, ... ) == 0xc4
 02457   408   NtUserQueryWindow  (65646, 0, ... ) == 0x7d0
 02458   408   NtUserQueryWindow  (65646, 1, ... ) == 0x7f8
 02459   408   NtUserQueryWindow  (327754, 0, ... ) == 0x7d0
 02460   408   NtUserQueryWindow  (327754, 1, ... ) == 0x7d4
 02461   408   NtUserQueryWindow  (262222, 0, ... ) == 0x7d0
 02462   408   NtUserQueryWindow  (262222, 1, ... ) == 0x7d4
 02463   408   NtUserQueryWindow  (327752, 0, ... ) == 0x7d0
 02464   408   NtUserQueryWindow  (327752, 1, ... ) == 0x7d4
 02465   408   NtUserQueryWindow  (65664, 0, ... ) == 0x7d0
 02466   408   NtUserQueryWindow  (65664, 1, ... ) == 0x7d4
 02467   408   NtUserQueryWindow  (65656, 0, ... ) == 0x7d0
 02468   408   NtUserQueryWindow  (65656, 1, ... ) == 0x7d4
 02469   408   NtUserBuildHwndList  (0, 65656, 1, 0, 64, ... (0x1007a, 0x1007c, 0x1, ), 3, ) == 0x0
 02470   408   NtUserQueryWindow  (65658, 0, ... ) == 0x7d0
 02471   408   NtUserQueryWindow  (65658, 1, ... ) == 0x7d4
 02472   408   NtUserQueryWindow  (65660, 0, ... ) == 0x7d0
 02473   408   NtUserQueryWindow  (65660, 1, ... ) == 0x7d4
 02474   408   NtUserCloseDesktop  (108, ...
 02475   408   NtClose  (108, ... ) == 0x0
 02474   408   NtUserCloseDesktop  ... ) == 0x1
 02476   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02477   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02478   408   NtUserGetProcessWindowStation  (... ) == 0x28
 02479   408   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02480   408   NtGdiDeleteObjectApp  (118096770, ... ) == 0x1
 02481   408   NtGdiDeleteObjectApp  (67765123, ... ) == 0x1
 02482   408   NtClose  (100, ... ) == 0x0
 02483   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02484   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02485   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02486   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02487   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02488   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02489   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02490   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02491   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02492   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02493   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02494   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02495   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02496   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02497   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02498   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02499   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02500   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02501   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02502   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02503   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02504   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02505   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02506   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02507   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02508   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02509   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02510   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02511   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02512   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02513   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02514   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02515   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02516   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02517   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02518   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02519   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02520   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc017
 02521   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02522   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc019
 02523   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02524   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc018
 02525   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02526   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01a
 02527   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02528   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01c
 02529   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02530   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01e
 02531   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02532   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01b
 02533   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02534   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc068
 02535   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02536   408   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc06a
 02537   408   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02538   408   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 02539   408   NtClose  (72, ... ) == 0x0
 02540   408   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 02541   408   NtClose  (76, ... ) == 0x0
 02542   408   NtClose  (68, ... ) == 0x0
 02543   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02544   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02545   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02546   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02547   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02548   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02549   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02550   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02551   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02552   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02553   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02554   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02555   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02556   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02557   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02558   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02559   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02560   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02561   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02562   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02563   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02564   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02565   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02566   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02567   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02568   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02569   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02570   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02571   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02572   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02573   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02574   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02575   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02576   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02577   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02578   408   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02579   408   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02580   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02581   408   NtClose  (172, ... ) == 0x0
 02582   408   NtClose  (148, ... ) == 0x0
 02583   408   NtClose  (164, ... ) == 0x0
 02584   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02585   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02586   408   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02587   408   NtClose  (152, ... ) == 0x0
 02588   408   NtClose  (156, ... ) == 0x0
 02589   408   NtClose  (104, ... ) == 0x0
 02590   408   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02591   408   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 396, 408, 1480, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 396, 408, 1480, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 396, 408, 1480, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02592   408   NtTerminateProcess  (-1, 0, ...
 02593   408   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtAdjustPrivilegesToken(>)	2	NtWriteVirtualMemory(>)	4	NtUserRegisterWindowMessage(>)	19
NtAddAtom(>)	1	NtContinue(>)	2	NtGdiGetStockObject(>)	5	NtOpenThreadToken(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtWriteFile(>)	5	NtUnmapViewOfSection(>)	21
NtConnectPort(>)	1	NtEnumerateKey(>)	2	NtCreateSemaphore(>)	6	NtCreateKey(>)	22
NtCreateProcessEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtCreateSection(>)	27
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultLocale(>)	6	NtQueryInformationFile(>)	27
NtDeleteValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtQuerySymbolicLinkObject(>)	6	NtOpenSection(>)	29
NtGdiCreateBitmap(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	6	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtQueryVirtualMemory(>)	2	NtQueryDefaultUILanguage(>)	8	NtWaitForSingleObject(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtReleaseMutant(>)	2	NtSetInformationFile(>)	8	NtProtectVirtualMemory(>)	36
NtGdiSelectBitmap(>)	1	NtTerminateProcess(>)	2	NtQueryVolumeInformationFile(>)	9	NtUserUnregisterClass(>)	46
NtNotifyChangeKey(>)	1	NtUserCloseDesktop(>)	2	NtFsControlFile(>)	10	NtMapViewOfSection(>)	48
NtOpenKeyedEvent(>)	1	NtUserCreateWindowEx(>)	2	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtUserDestroyWindow(>)	2	NtQuerySection(>)	11	NtQueryInformationProcess(>)	51
NtQueryInformationJobObject(>)	1	NtUserMessageCall(>)	2	NtRequestWaitReplyPort(>)	11	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtDuplicateObject(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtEnumerateValueKey(>)	3	NtLockFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUnlockFile(>)	13	NtQueryAttributesFile(>)	68
NtResumeThread(>)	1	NtGdiDeleteObjectApp(>)	3	NtCreateEvent(>)	14	NtQueryInformationToken(>)	72
NtSecureConnectPort(>)	1	NtOpenEvent(>)	3	NtOpenProcessToken(>)	14	NtQueryKey(>)	73
NtTestAlert(>)	1	NtReadVirtualMemory(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserBuildNameList(>)	1	NtSetEvent(>)	3	NtQueryDebugFilterState(>)	16	NtAllocateVirtualMemory(>)	88
NtUserGetAtomName(>)	1	NtUserGetObjectInformation(>)	3	NtFlushInstructionCache(>)	17	NtQuerySystemInformation(>)	88
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtFreeVirtualMemory(>)	17	NtOpenFile(>)	90
NtUserGetForegroundWindow(>)	1	NtUserRemoveProp(>)	3	NtQueryDirectoryFile(>)	17	NtUserQueryWindow(>)	114
NtUserGetGUIThreadInfo(>)	1	NtWaitForMultipleObjects(>)	3	NtReadFile(>)	17	NtQueryValueKey(>)	125
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtSetInformationThread(>)	17	NtOpenKey(>)	288
NtUserSetProp(>)	1	NtUserBuildHwndList(>)	4	NtCreateFile(>)	18	NtClose(>)	385