Summary:





NtAccessCheck(>)  1 
NtUserCallNoParam(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtQueryAttributesFile(>)  24 


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtWaitForSingleObject(>)  4 
NtMapViewOfSection(>)  29 


NtCallbackReturn(>)  1 
NtWriteFile(>)  1 
NtContinue(>)  5 
NtSetValueKey(>)  31 


NtDuplicateObject(>)  1 
NtCreateEvent(>)  2 
NtGdiGetStockObject(>)  5 
NtProtectVirtualMemory(>)  36 


NtEnumerateValueKey(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultLocale(>)  6 
NtQueryValueKey(>)  40 


NtFsControlFile(>)  1 
NtOpenDirectoryObject(>)  2 
NtRequestWaitReplyPort(>)  6 
NtCreateKey(>)  41 


NtGdiCreateBitmap(>)  1 
NtOpenEvent(>)  2 
NtQueryDebugFilterState(>)  8 
NtSetInformationFile(>)  41 


NtGdiInit(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtAllocateVirtualMemory(>)  45 


NtGdiQueryFontAssocInfo(>)  1 
NtQueryPerformanceCounter(>)  2 
NtReleaseMutant(>)  8 
NtUserUnregisterClass(>)  45 


NtGdiSelectBitmap(>)  1 
NtQueryVirtualMemory(>)  2 
NtFreeVirtualMemory(>)  9 
NtUserFindExistingCursorIcon(>)  50 


NtOpenKeyedEvent(>)  1 
NtSetInformationProcess(>)  2 
NtSetInformationThread(>)  9 
NtUserRegisterClassExWOW(>)  63 


NtOpenMutant(>)  1 
NtTerminateProcess(>)  2 
NtUserSystemParametersInfo(>)  10 
NtUserGetClassInfo(>)  64 


NtOpenProcess(>)  1 
NtUserCallOneParam(>)  2 
NtCreateSection(>)  11 
NtOpenProcessTokenEx(>)  113 


NtOpenSymbolicLinkObject(>)  1 
NtUserGetDC(>)  2 
NtQueryInformationFile(>)  11 
NtOpenThreadTokenEx(>)  113 


NtQueryObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtOpenFile(>)  14 
NtQueryKey(>)  115 


NtQuerySymbolicLinkObject(>)  1 
NtCreateFile(>)  4 
NtFlushInstructionCache(>)  18 
NtQueryInformationToken(>)  117 


NtQueryVolumeInformationFile(>)  1 
NtOpenProcessToken(>)  4 
NtQuerySystemInformation(>)  18 
NtOpenKey(>)  245 


NtRegisterThreadTerminatePort(>)  1 
NtQueryInformationProcess(>)  4 
NtReadFile(>)  18 
NtClose(>)  257 


NtSecureConnectPort(>)  1 
NtQuerySection(>)  4 
NtUnmapViewOfSection(>)  18 


NtTestAlert(>)  1 
NtSetInformationObject(>)  4 



Trace:

 00001   492   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   492   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   492   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   492   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   492   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   492   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   492   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   492   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   492   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   492   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   492   NtClose  (12, ... ) == 0x0
 00014   492   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   492   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   492   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   492   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   492   NtClose  (16, ... ) == 0x0
 00021   492   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   492   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   492   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   492   NtClose  (16, ... ) == 0x0
 00026   492   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   492   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   492   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   492   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   492   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 476, 492, 1536, 0} " \34\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 476, 492, 1536, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 476, 492, 1536, 0} " \34\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   492   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   492   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   492   NtClose  (16, ... ) == 0x0
 00036   492   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   492   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   492   NtClose  (28, ... ) == 0x0
 00041   492   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   492   NtClose  (28, ... ) == 0x0
 00045   492   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   492   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   492   NtClose  (28, ... ) == 0x0
 00049   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   492   NtClose  (28, ... ) == 0x0
 00052   492   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   492   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 476, 492, 1541, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 476, 492, 1541, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 476, 492, 1541, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   492   NtProtectVirtualMemory  (-1, (0x405000), 240, 4, ... (0x405000), 4096, 2, ) == 0x0
 00057   492   NtProtectVirtualMemory  (-1, (0x405000), 4096, 2, ... (0x405000), 4096, 4, ) == 0x0
 00058   492   NtFlushInstructionCache  (-1, 4214784, 240, ... ) == 0x0
 00059   492   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00060   492   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00061   492   NtClose  (28, ... ) == 0x0
 00062   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00063   492   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00064   492   NtClose  (28, ... ) == 0x0
 00065   492   NtTestAlert  (... ) == 0x0
 00066   492   NtContinue  (1244464, 1, ...
 00067   492   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x4011b8,}, 4, ... ) == 0x0
 00068   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00069   492   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00070   492   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00071   492   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00072   492   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00073   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00074   492   NtClose  (28, ... ) == 0x0
 00075   492   NtAllocateVirtualMemory  (-1, 3280896, 0, 4096, 4096, 4, ... 3280896, 4096, ) == 0x0
 00076   492   NtQueryPerformanceCounter  (... {109033144, 0}, {3579545, 0}, ) == 0x0
 00077   492   NtQueryDefaultUILanguage  (2013024600, ...
 00078   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00079   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482012, ) == 0x0
 00080   492   NtQueryInformationToken  (-2147482012, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00081   492   NtClose  (-2147482012, ... ) == 0x0
 00082   492   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00083   492   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   492   NtOpenKey  (0x80000000, {24, -2147482012, 0x640, 0, 0,  (0x80000000, {24, -2147482012, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00085   492   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   492   NtClose  (-2147482024, ... ) == 0x0
 00087   492   NtClose  (-2147482012, ... ) == 0x0
 00077   492   NtQueryDefaultUILanguage  ... ) == 0x0
 00088   492   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00089   492   NtQueryDefaultLocale  (1, 1243760, ... ) == 0x0
 00090   492   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243888,  (0xc0100080, {24, 0, 0x40, 0, 1243888, "\??\C:\WINDOWS\System32\iea.dll"}, 0x0, 128, 1, 5, 96, 0, 0, ... }, 0x0, 128, 1, 5, 96, 0, 0, ...
 00091   492   NtClose  (-2147482012, ... ) == 0x0
 00090   492   NtCreateFile  ... 28, {status=0x0, info=2}, ) == 0x0
 00092   492   NtWriteFile  (28, 0, 0, 0,  (28, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\353\223\323\213\257\362\275\330\257\362\275\330\257\362\275\330,\372\342\330\246\362\275\330\274\372\340\330\255\362\275\330\252\376\262\330\263\362\275\330U\321\244\330\251\362\275\330,\372\340\330\276\362\275\330\257\362\274\330B\363\275\330\252\376\335\330\342\362\275\330\252\376\342\330+\362\275\330\252\376\341\330\256\362\275\330C\371\343\330\256\362\275\330\252\376\347\330\256\362\275\330Rich\257\362\275\330\0\0\0\0\0\0\0\0PE\0\0L\1\7\0\277_(F\0\0\0\0\0\0\0\0\340\0\16!\13\1\7\12\0\240\1\0\0@\1\0\0\0\0\0\1\360\2\0\0\20\0\0\0\260\1\0\0\0\0\20\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0 \3\0\0\6\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0`\26\2\0\250\0\0\0\254\377\2\0\24\2\0\0\0\200\2\0\210\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0T\377\2\0\10\0\0\0`\264\1\0\34\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0.tex", 107008, 0x0, 0, ... {status=0x0, info=107008}, ) , 107008, 0x0, 0, ... {status=0x0, info=107008}, ) == 0x0
 00093   492   NtClose  (28, ... ) == 0x0
 00094   492   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 28, ) }, ... 28, ) == 0x0
 00095   492   NtQueryValueKey  (28,  (28, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00096   492   NtClose  (28, ... ) == 0x0
 00097   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1241704, ... ) }, 1241704, ... ) == 0x0
 00098   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00099   492   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 32, ) == 0x0
 00100   492   NtClose  (28, ... ) == 0x0
 00101   492   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00102   492   NtClose  (32, ... ) == 0x0
 00103   492   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00104   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1242020, ... ) }, 1242020, ... ) == 0x0
 00105   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00106   492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00107   492   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00108   492   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00109   492   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00110   492   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00111   492   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00112   492   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00113   492   NtClose  (40, ... ) == 0x0
 00114   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00115   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00116   492   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00117   492   NtClose  (40, ... ) == 0x0
 00118   492   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   492   NtClose  (36, ... ) == 0x0
 00120   492   NtClose  (32, ... ) == 0x0
 00121   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x10000000), 0x0, 204800, ) == 0x0
 00122   492   NtClose  (28, ... ) == 0x0
 00123   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 8, ) == 0x0
 00124   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 8, ... (0x1002f000), 8192, 4, ) == 0x0
 00125   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00126   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00127   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00128   492   NtClose  (28, ... ) == 0x0
 00129   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00130   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00131   492   NtClose  (28, ... ) == 0x0
 00132   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00133   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00134   492   NtClose  (28, ... ) == 0x0
 00135   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00136   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00137   492   NtClose  (28, ... ) == 0x0
 00138   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00139   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00140   492   NtClose  (28, ... ) == 0x0
 00141   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00142   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00143   492   NtClose  (28, ... ) == 0x0
 00144   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00145   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00146   492   NtClose  (28, ... ) == 0x0
 00147   492   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00148   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00149   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00150   492   NtClose  (28, ... ) == 0x0
 00151   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00152   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00153   492   NtClose  (28, ... ) == 0x0
 00154   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00155   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00156   492   NtClose  (28, ... ) == 0x0
 00157   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00158   492   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00159   492   NtClose  (28, ... ) == 0x0
 00160   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00161   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00162   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00163   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00164   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00165   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00166   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00167   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00168   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00169   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00170   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00171   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00172   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "winspool.drv"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\winspool.drv"}, 1241236, ... ) }, 1241236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00174   492   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "winspool.drv"}, 1241236, ... ) }, 1241236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winspool.drv"}, 1241236, ... ) }, 1241236, ... ) == 0x0
 00176   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winspool.drv"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00177   492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00178   492   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00179   492   NtClose  (28, ... ) == 0x0
 00180   492   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73000000), 0x0, 143360, ) == 0x0
 00181   492   NtClose  (32, ... ) == 0x0
 00182   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00183   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00184   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00185   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00186   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00187   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00188   492   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00189   492   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00190   492   NtClose  (32, ... ) == 0x0
 00191   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00192   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00193   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00194   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00195   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00196   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00197   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00198   492   NtProtectVirtualMemory  (-1, (0x1002f000), 8192, 4, ... (0x1002f000), 8192, 4, ) == 0x0
 00199   492   NtFlushInstructionCache  (-1, 268627968, 8192, ... ) == 0x0
 00200   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00201   492   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3407872, 65536, ) == 0x0
 00202   492   NtAllocateVirtualMemory  (-1, 3407872, 0, 4096, 4096, 4, ... 3407872, 4096, ) == 0x0
 00203   492   NtAllocateVirtualMemory  (-1, 3411968, 0, 8192, 4096, 4, ... 3411968, 8192, ) == 0x0
 00204   492   NtAllocateVirtualMemory  (-1, 3420160, 0, 4096, 4096, 4, ... 3420160, 4096, ) == 0x0
 00205   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00206   492   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1241732, 256, 1241476, 256}  (24, {28, 56, new_msg, 0, 1241732, 256, 1241476, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\204\362\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 476, 492, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\204\362\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 476, 492, 1573, 0}  (24, {28, 56, new_msg, 0, 1241732, 256, 1241476, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\204\362\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 476, 492, 1573, 0} "XQ\26\0\0\0\0\0\0\0\0\0\204\362\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00207   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   492   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x500000), 0x0, 1060864, ) == 0x0
 00209   492   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 28, ) == 0x0
 00210   492   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00211   492   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482012, ) == 0x0
 00212   492   NtQueryInformationToken  (-2147482012, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00213   492   NtQueryInformationToken  (-2147482012, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00214   492   NtClose  (-2147482012, ... ) == 0x0
 00215   492   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3473408, 4096, ) == 0x0
 00216   492   NtFreeVirtualMemory  (-1, (0x350000), 4096, 32768, ... (0x350000), 4096, ) == 0x0
 00217   492   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00218   492   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00219   492   NtQueryValueKey  (-2147482012,  (-2147482012, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   492   NtClose  (-2147482012, ... ) == 0x0
 00221   492   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00222   492   NtQueryValueKey  (-2147482012,  (-2147482012, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00223   492   NtClose  (-2147482012, ... ) == 0x0
 00224   492   NtQueryDefaultLocale  (0, -136377844, ... ) == 0x0
 00225   492   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00226   492   NtUserCallNoParam  (24, ... ) == 0x0
 00227   492   NtGdiCreateCompatibleDC  (0, ...
 00228   492   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00227   492   NtGdiCreateCompatibleDC  ... ) == 0xe010448
 00229   492   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00230   492   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00231   492   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00232   492   NtGdiCreateSolidBrush  (0, 0, ...
 00233   492   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3538944, 4096, ) == 0x0
 00232   492   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00234   492   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00235   492   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00236   492   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00237   492   NtUserGetThreadDesktop  (492, 0, ... ) == 0x28
 00238   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00239   492   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00240   492   NtClose  (48, ... ) == 0x0
 00241   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00242   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 673, 128, 0, ... ) == 0x810cc017
 00243   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00244   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 674, 128, 0, ... ) == 0x810cc01c
 00245   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00246   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 675, 128, 0, ... ) == 0x810cc01e
 00247   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00248   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 676, 128, 0, ... ) == 0x810c8002
 00249   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10013
 00250   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 677, 128, 0, ... ) == 0x810cc018
 00251   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00252   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 678, 128, 0, ... ) == 0x810cc01a
 00253   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00254   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 679, 128, 0, ... ) == 0x810cc01d
 00255   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00256   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 681, 128, 0, ... ) == 0x810cc026
 00257   492   NtUserFindExistingCursorIcon  (1239816, 1239832, 1240400, ... ) == 0x10011
 00258   492   NtUserRegisterClassExWOW  (1240336, 1240416, 1240400, 1240432, 680, 128, 0, ... ) == 0x810cc019
 00259   492   NtUserRegisterClassExWOW  (1240288, 1240368, 1240352, 1240384, 0, 128, 0, ... ) == 0x810cc020
 00260   492   NtUserRegisterClassExWOW  (1240288, 1240364, 1240380, 1240352, 0, 130, 0, ... ) == 0x810cc022
 00261   492   NtUserRegisterClassExWOW  (1240288, 1240368, 1240352, 1240384, 0, 128, 0, ... ) == 0x810cc023
 00262   492   NtUserRegisterClassExWOW  (1240288, 1240364, 1240380, 1240352, 0, 130, 0, ... ) == 0x810cc024
 00263   492   NtUserRegisterClassExWOW  (1240288, 1240368, 1240352, 1240384, 0, 128, 0, ...
 00264   492   NtAllocateVirtualMemory  (-1, 6467584, 0, 4096, 4096, 32, ... 6467584, 4096, ) == 0x0
 00263   492   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00265   492   NtCallbackReturn  (0, 0, 0, ...
 00266   492   NtGdiInit  (... ) == 0x1
 00267   492   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00268   492   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00269   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00270   492   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00271   492   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00272   492   NtClose  (48, ... ) == 0x0
 00273   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00274   492   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   492   NtClose  (48, ... ) == 0x0
 00276   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00277   492   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00278   492   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   492   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280   492   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   492   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00282   492   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00283   492   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00284   492   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00285   492   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00286   492   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1242144, 0,  (0x1f0003, {24, 52, 0x80, 1242144, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00287   492   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00288   492   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00289   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00290   492   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00291   492   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00292   492   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00293   492   NtClose  (60, ... ) == 0x0
 00294   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295   492   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00296   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00297   492   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00298   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00299   492   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   492   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   492   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   492   NtClose  (60, ... ) == 0x0
 00303   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00304   492   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   492   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   492   NtClose  (60, ... ) == 0x0
 00307   492   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   492   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00309   492   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   492   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   492   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   492   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00313   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00314   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00315   492   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00316   492   NtClose  (60, ... ) == 0x0
 00317   492   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00318   492   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00319   492   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00320   492   NtQueryDefaultUILanguage  (1240380, ...
 00321   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00322   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482012, ) == 0x0
 00323   492   NtQueryInformationToken  (-2147482012, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00324   492   NtClose  (-2147482012, ... ) == 0x0
 00325   492   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00326   492   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00327   492   NtOpenKey  (0x80000000, {24, -2147482012, 0x640, 0, 0,  (0x80000000, {24, -2147482012, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00328   492   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00329   492   NtClose  (-2147482024, ... ) == 0x0
 00330   492   NtClose  (-2147482012, ... ) == 0x0
 00320   492   NtQueryDefaultUILanguage  ... ) == 0x0
 00331   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00332   492   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00333   492   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00334   492   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00335   492   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x910000), 0x0, 593920, ) == 0x0
 00336   492   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00337   492   NtQueryDefaultLocale  (1, 1238416, ... ) == 0x0
 00338   492   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339   492   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239272, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239272, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\350\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 492, 1574, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\350\357\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 492, 1574, 0}  (24, {128, 156, new_msg, 0, 1239272, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\350\357\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 492, 1574, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\354\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\230\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\350\357\22\0\0\0\0\0" )  ) == 0x0
 00340   492   NtClose  (68, ... ) == 0x0
 00341   492   NtClose  (72, ... ) == 0x0
 00342   492   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00343   492   NtUnmapViewOfSection  (-1, 0x12efe8, ... ) == STATUS_NOT_MAPPED_VIEW
 00344   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00345   492   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00347   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00348   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236956, ... ) }, 1236956, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00349   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00350   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00351   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00352   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237548, ... ) }, 1237548, ... ) == 0x0
 00353   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00354   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00355   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00356   492   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00357   492   NtClose  (68, ... ) == 0x0
 00358   492   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x910000), 0x0, 921600, ) == 0x0
 00359   492   NtClose  (76, ... ) == 0x0
 00360   492   NtUnmapViewOfSection  (-1, 0x910000, ... ) == 0x0
 00361   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00362   492   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00363   492   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00364   492   NtClose  (76, ... ) == 0x0
 00365   492   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00366   492   NtClose  (68, ... ) == 0x0
 00367   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00368   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00369   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00370   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00371   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00372   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00373   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00374   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00375   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00376   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00377   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00378   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00379   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00380   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00381   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00382   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00383   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00384   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00385   492   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00386   492   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00387   492   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00388   492   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238732, ... ) , 42, 1238732, ... ) == 0x0
 00389   492   NtQueryDefaultUILanguage  (1237448, ...
 00390   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00391   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482012, ) == 0x0
 00392   492   NtQueryInformationToken  (-2147482012, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00393   492   NtClose  (-2147482012, ... ) == 0x0
 00394   492   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00395   492   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00396   492   NtOpenKey  (0x80000000, {24, -2147482012, 0x640, 0, 0,  (0x80000000, {24, -2147482012, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00397   492   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00398   492   NtClose  (-2147482024, ... ) == 0x0
 00399   492   NtClose  (-2147482012, ... ) == 0x0
 00389   492   NtQueryDefaultUILanguage  ... ) == 0x0
 00400   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00401   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236300, ... ) }, 1236300, ... ) == 0x0
 00402   492   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00403   492   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00404   492   NtClose  (68, ... ) == 0x0
 00405   492   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 4096, ) == 0x0
 00406   492   NtClose  (76, ... ) == 0x0
 00407   492   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00408   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235940, ... ) }, 1235940, ... ) == 0x0
 00409   492   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236640,  (0x80100080, {24, 0, 0x40, 0, 1236640, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00410   492   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00411   492   NtClose  (76, ... ) == 0x0
 00412   492   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 4096, ) == 0x0
 00413   492   NtClose  (68, ... ) == 0x0
 00414   492   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00415   492   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00416   492   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00417   492   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x380000), 0x0, 4096, ) == 0x0
 00418   492   NtQueryInformationFile  (68, 1236260, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00419   492   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00420   492   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236340, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236340, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0t\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 492, 1575, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0t\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 476, 492, 1575, 0}  (24, {128, 156, new_msg, 0, 1236340, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0t\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 476, 492, 1575, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0t\344\22\0\0\0\0\0" )  ) == 0x0
 00421   492   NtClose  (68, ... ) == 0x0
 00422   492   NtClose  (76, ... ) == 0x0
 00423   492   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00424   492   NtUnmapViewOfSection  (-1, 0x12e474, ... ) == STATUS_NOT_MAPPED_VIEW
 00425   492   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00426   492   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00427   492   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00428   492   NtUserGetDC  (0, ... ) == 0x1010052
 00429   492   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00430   492   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00431   492   NtUserSystemParametersInfo  (66, 12, 1238752, 0, ... ) == 0x1
 00432   492   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00433   492   NtAccessCheck  (1344696, 76, 0x1, 1238156, 1238100, 56, 1238184, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00434   492   NtClose  (76, ... ) == 0x0
 00435   492   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00436   492   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00437   492   NtClose  (76, ... ) == 0x0
 00438   492   NtUserSystemParametersInfo  (41, 500, 1238252, 0, ... ) == 0x1
 00439   492   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00440   492   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00441   492   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00442   492   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00443   492   NtClose  (68, ... ) == 0x0
 00444   492   NtClose  (76, ... ) == 0x0
 00445   492   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00446   492   NtUserSystemParametersInfo  (4130, 0, 1238776, 0, ... ) == 0x1
 00447   492   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00448   492   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00449   492   NtClose  (76, ... ) == 0x0
 00450   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00451   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc03b
 00452   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc03d
 00453   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00454   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc03f
 00455   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00456   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc041
 00457   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00458   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc043
 00459   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc045
 00460   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00461   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc047
 00462   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00463   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc049
 00464   492   NtUserGetClassInfo  (1905590272, 1238672, 1238624, 1238700, 0, ... ) == 0xc049
 00465   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00466   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc04b
 00467   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00468   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc04d
 00469   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00470   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc04f
 00471   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc051
 00472   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00473   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc053
 00474   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00475   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc055
 00476   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc057
 00477   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00478   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc059
 00479   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00480   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc05b
 00481   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00482   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc05d
 00483   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00484   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc05f
 00485   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00486   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc017
 00487   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00488   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc019
 00489   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10013
 00490   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc018
 00491   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00492   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc01a
 00493   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00494   492   NtUserRegisterClassExWOW  (1238508, 1238588, 1238572, 1238604, 0, 384, 0, ... ) == 0x810cc01c
 00495   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00496   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc01e
 00497   492   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00498   492   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810cc01b
 00499   492   NtUserFindExistingCursorIcon  (1238052, 1238068, 1238636, ... ) == 0x10011
 00500   492   NtUserRegisterClassExWOW  (1238564, 1238644, 1238628, 1238660, 0, 384, 0, ... ) == 0x810cc068
 00501   492   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00502   492   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ...
 00503   492   NtAllocateVirtualMemory  (-1, 6471680, 0, 4096, 4096, 32, ... 6471680, 4096, ) == 0x0
 00502   492   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00504   492   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00505   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00506   492   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3670016, 65536, ) == 0x0
 00507   492   NtAllocateVirtualMemory  (-1, 3670016, 0, 4096, 4096, 4, ... 3670016, 4096, ) == 0x0
 00508   492   NtAllocateVirtualMemory  (-1, 3674112, 0, 8192, 4096, 4, ... 3674112, 8192, ) == 0x0
 00509   492   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {476, 0}, ... 68, ) == 0x0
 00510   492   NtQueryInformationProcess  (68, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00511   492   NtClose  (68, ... ) == 0x0
 00512   492   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00513   492   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00514   492   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00515   492   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 68, ) }, ... 68, ) == 0x0
 00516   492   NtQueryValueKey  (68,  (68, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   492   NtClose  (68, ... ) == 0x0
 00518   492   NtUserSystemParametersInfo  (41, 500, 1241744, 0, ... ) == 0x1
 00519   492   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00520   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00521   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00522   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc03b
 00523   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00524   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc03d
 00525   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00526   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00527   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc03f
 00528   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00529   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00530   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc041
 00531   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00532   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00533   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc043
 00534   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00535   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc045
 00536   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00537   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00538   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc047
 00539   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00540   492   NtUserFindExistingCursorIcon  (1241532, 1241548, 1242116, ... ) == 0x10011
 00541   492   NtUserRegisterClassExWOW  (1241984, 1242064, 1242048, 1242080, 0, 384, 0, ... ) == 0x810cc049
 00542   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00543   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00544   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc04b
 00545   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00546   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00547   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc04d
 00548   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00549   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00550   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc04f
 00551   492   NtUserGetClassInfo  (1999896576, 1242156, 1242108, 1242184, 0, ... ) == 0x0
 00552   492   NtUserRegisterClassExWOW  (1241992, 1242072, 1242056, 1242088, 0, 384, 0, ... ) == 0x810cc051
 00553   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00554   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00555   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc053
 00556   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00557   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00558   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc055
 00559   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc057
 00560   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00561   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00562   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc059
 00563   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00564   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10013
 00565   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc05b
 00566   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00567   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00568   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc05d
 00569   492   NtUserGetClassInfo  (1999896576, 1242152, 1242104, 1242180, 0, ... ) == 0x0
 00570   492   NtUserFindExistingCursorIcon  (1241536, 1241552, 1242120, ... ) == 0x10011
 00571   492   NtUserRegisterClassExWOW  (1241988, 1242068, 1242052, 1242084, 0, 384, 0, ... ) == 0x810cc05f
 00572   492   NtAllocateVirtualMemory  (-1, 0, 0, 6144, 4096, 4, ... 3801088, 8192, ) == 0x0
 00573   492   NtAllocateVirtualMemory  (-1, 0, 0, 106766, 4096, 4, ... 3866624, 110592, ) == 0x0
 00574   492   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 110592, ) == 0x0
 00575   492   NtAllocateVirtualMemory  (-1, 0, 0, 8462, 4096, 4, ... 3866624, 12288, ) == 0x0
 00576   492   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 12288, ) == 0x0
 00577   492   NtAllocateVirtualMemory  (-1, 0, 0, 4034, 4096, 4, ... 3866624, 4096, ) == 0x0
 00578   492   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 4096, ) == 0x0
 00579   492   NtAllocateVirtualMemory  (-1, 0, 0, 20750, 4096, 4, ... 3866624, 24576, ) == 0x0
 00580   492   NtFreeVirtualMemory  (-1, (0x3b0000), 0, 32768, ... (0x3b0000), 24576, ) == 0x0
 00581   492   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 8192, ) == 0x0
 00582   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583   492   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3801088, 65536, ) == 0x0
 00584   492   NtAllocateVirtualMemory  (-1, 3801088, 0, 4096, 4096, 4, ... 3801088, 4096, ) == 0x0
 00585   492   NtAllocateVirtualMemory  (-1, 3805184, 0, 8192, 4096, 4, ... 3805184, 8192, ) == 0x0
 00586   492   NtAllocateVirtualMemory  (-1, 3813376, 0, 4096, 4096, 4, ... 3813376, 4096, ) == 0x0
 00587   492   NtQueryPerformanceCounter  (... {109398197, 0}, {3579545, 0}, ) == 0x0
 00588   492   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 9502720, 524288, ) == 0x0
 00589   492   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00590   492   NtAllocateVirtualMemory  (-1, 1355776, 0, 8192, 4096, 4, ... 1355776, 8192, ) == 0x0
 00591   492   NtUserGetDC  (0, ... ) == 0x1010052
 00592   492   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00593   492   NtUserFindExistingCursorIcon  (1241384, 1241400, 1241968, ... ) == 0x10015
 00594   492   NtUserFindExistingCursorIcon  (1241384, 1241400, 1241968, ... ) == 0x10011
 00595   492   NtUserRegisterWindowMessage  ( ("commctrl_DragListMsg", ... ) , ... ) == 0xc083
 00596   492   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00597   492   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00598   492   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00599   492   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00600   492   NtQueryDefaultUILanguage  (1241544, ...
 00601   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00602   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482012, ) == 0x0
 00603   492   NtQueryInformationToken  (-2147482012, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00604   492   NtClose  (-2147482012, ... ) == 0x0
 00605   492   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482012, ) }, ... -2147482012, ) == 0x0
 00606   492   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00607   492   NtOpenKey  (0x80000000, {24, -2147482012, 0x640, 0, 0,  (0x80000000, {24, -2147482012, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482024, ) }, ... -2147482024, ) == 0x0
 00608   492   NtQueryValueKey  (-2147482024,  (-2147482024, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   492   NtClose  (-2147482024, ... ) == 0x0
 00610   492   NtClose  (-2147482012, ... ) == 0x0
 00600   492   NtQueryDefaultUILanguage  ... ) == 0x0
 00611   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00612   492   NtOpenProcessToken  (-1, 0x8, ... 68, ) == 0x0
 00613   492   NtQueryInformationToken  (68, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00614   492   NtClose  (68, ... ) == 0x0
 00615   492   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00616   492   NtReleaseMutant  (16, ...
 00617   492   NtContinue  (-136380280, 0, ...
 00616   492   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00618   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238920, ... ) }, 1238920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00619   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239236, ... ) }, 1239236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   492   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00621   492   NtReleaseMutant  (16, ...
 00622   492   NtContinue  (-136380280, 0, ...
 00621   492   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00623   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238920, ... ) }, 1238920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00624   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239236, ... ) }, 1239236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00625   492   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00626   492   NtReleaseMutant  (16, ...
 00627   492   NtContinue  (-136380280, 0, ...
 00626   492   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00628   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238920, ... ) }, 1238920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00629   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239236, ... ) }, 1239236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   492   NtWaitForSingleObject  (16, 0, 0x0, ... ) == STATUS_ACCESS_DENIED
 00631   492   NtReleaseMutant  (16, ...
 00632   492   NtContinue  (-136380280, 0, ...
 00631   492   NtReleaseMutant  ... ) == STATUS_MUTANT_NOT_OWNED
 00633   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1238920, ... ) }, 1238920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaENU.dll"}, 1239236, ... ) }, 1239236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaLOC.dll"}, 1238920, ... ) }, 1238920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00636   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ieaLOC.dll"}, 1239236, ... ) }, 1239236, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00637   492   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00638   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1239168, ... ) }, 1239168, ... ) == 0x0
 00639   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1237980, ... ) }, 1237980, ... ) == 0x0
 00640   492   NtQueryDefaultLocale  (1, 1240048, ... ) == 0x0
 00641   492   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00642   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00643   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00644   492   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00645   492   NtClose  (68, ... ) == 0x0
 00646   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 68, ) }, ... 68, ) == 0x0
 00647   492   NtSetInformationObject  (70, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00648   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00649   492   NtOpenKey  (0x2001f, {24, 70, 0x40, 0, 0,  (0x2001f, {24, 70, 0x40, 0, 0, "AppID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\AppID"}, ... 80, ) }, ... 80, ) == 0x0
 00651   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00652   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00653   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00654   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00655   492   NtClose  (84, ... ) == 0x0
 00656   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00657   492   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00658   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00659   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00660   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00661   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00662   492   NtClose  (84, ... ) == 0x0
 00663   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00664   492   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   492   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00666   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00667   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00668   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00669   492   NtClose  (84, ... ) == 0x0
 00670   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00671   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00672   492   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00673   492   NtSetInformationFile  (-2147482808, -136379356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00674   492   NtSetInformationFile  (-2147482808, -136379828, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00675   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00672   492   NtCreateKey  ... 88, 1, ) == 0x0
 00676   492   NtClose  (84, ... ) == 0x0
 00677   492   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}_"}, 162, ) }, 162, ) == 0x0
 00678   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00679   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00680   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00681   492   NtClose  (84, ... ) == 0x0
 00682   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\{BD4BAFB3-3E38-4668-8EC5-AE0118560AC5}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00683   492   NtSetValueKey  (90, 0x0, 0, 1,  (90, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 24, ... ) , 24, ... ) == 0x0
 00684   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00685   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00686   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00687   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00688   492   NtClose  (84, ... ) == 0x0
 00689   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00690   492   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00691   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00692   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00693   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00694   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00695   492   NtClose  (84, ... ) == 0x0
 00696   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697   492   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00698   492   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID"}, 84, ) }, 84, ) == 0x0
 00699   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00700   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00701   492   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00702   492   NtClose  (84, ... ) == 0x0
 00703   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00704   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 84, ) }, ... 84, ) == 0x0
 00705   492   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "AppID\IEAssistant.DLL"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 00706   492   NtClose  (84, ... ) == 0x0
 00707   492   NtClose  (90, ... ) == 0x0
 00708   492   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IEAssistant.DLL"}, 116, ) }, 116, ) == 0x0
 00709   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00710   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00711   492   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00712   492   NtClose  (88, ... ) == 0x0
 00713   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\AppID\IEAssistant.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00714   492   NtSetValueKey  (94,  (94, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 0, 1,  (94, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00715   492   NtClose  (94, ... ) == 0x0
 00716   492   NtClose  (82, ... ) == 0x0
 00717   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1239144, ... ) }, 1239144, ... ) == 0x0
 00718   492   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iea.dll"}, 1237956, ... ) }, 1237956, ... ) == 0x0
 00719   492   NtQueryDefaultLocale  (1, 1240024, ... ) == 0x0
 00720   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00721   492   NtOpenKey  (0x2001f, {24, 70, 0x40, 0, 0,  (0x2001f, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00722   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00723   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00724   492   NtOpenKey  (0x20019, {24, 70, 0x40, 0, 0,  (0x20019, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00725   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00726   492   NtQueryKey  (70, Name, 382, ... {Name= (70, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00727   492   NtOpenKey  (0x2000000, {24, 70, 0x40, 0, 0,  (0x2000000, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00728   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00729   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "IEAssistant.Assistant.1"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00730   492   NtSetInformationFile  (-2147482808, -136379460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00731   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00729   492   NtCreateKey  ... 92, 1, ) == 0x0
 00732   492   NtClose  (80, ... ) == 0x0
 00733   492   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00734   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00735   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00736   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00737   492   NtClose  (80, ... ) == 0x0
 00738   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00739   492   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00740   492   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00741   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00742   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00743   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00744   492   NtClose  (80, ... ) == 0x0
 00745   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00746   492   NtOpenKey  (0x2001f, {24, 94, 0x40, 0, 0,  (0x2001f, {24, 94, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747   492   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00748   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00749   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00750   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00751   492   NtClose  (80, ... ) == 0x0
 00752   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00753   492   NtOpenKey  (0x20019, {24, 94, 0x40, 0, 0,  (0x20019, {24, 94, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   492   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1"}, 120, ) }, 120, ) == 0x0
 00755   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00756   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00757   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00758   492   NtClose  (80, ... ) == 0x0
 00759   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00761   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "IEAssistant.Assistant.1\CLSID"}, 0, 0x0, 0, ... 88, 1, ) }, 0, 0x0, 0, ... 88, 1, ) == 0x0
 00762   492   NtClose  (80, ... ) == 0x0
 00763   492   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant.1\CLSID"}, 132, ) }, 132, ) == 0x0
 00764   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00765   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00766   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00767   492   NtClose  (80, ... ) == 0x0
 00768   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant.1\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   492   NtSetValueKey  (90, 0x0, 0, 1,  (90, 0x0, 0, 1, "{\0B\00\08\0D\03\02\0D\0E\0-\06\04\0B\02\0-\04\01\03\07\0-\08\03\04\05\0-\08\07\02\09\03\0E\07\00\0D\04\00\0B\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00770   492   NtClose  (90, ... ) == 0x0
 00771   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00772   492   NtOpenKey  (0x2001f, {24, 70, 0x40, 0, 0,  (0x2001f, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00774   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00775   492   NtOpenKey  (0x20019, {24, 70, 0x40, 0, 0,  (0x20019, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   492   NtQueryKey  (70, Name, 382, ... {Name= (70, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESA"}, 138, ) }, 138, ) == 0x0
 00778   492   NtOpenKey  (0x2000000, {24, 70, 0x40, 0, 0,  (0x2000000, {24, 70, 0x40, 0, 0, "IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 88, ) }, ... 88, ) == 0x0
 00780   492   NtCreateKey  (0x2001f, {24, 88, 0x40, 0, 0,  (0x2001f, {24, 88, 0x40, 0, 0, "IEAssistant.Assistant"}, 0, 0x0, 0, ... 80, 1, ) }, 0, 0x0, 0, ... 80, 1, ) == 0x0
 00781   492   NtClose  (88, ... ) == 0x0
 00782   492   NtClose  (94, ... ) == 0x0
 00783   492   NtQueryKey  (82, Name, 392, ... {Name= (82, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00784   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00785   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00786   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00787   492   NtClose  (92, ... ) == 0x0
 00788   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   492   NtSetValueKey  (82, 0x0, 0, 1,  (82, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00790   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00791   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00792   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00793   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00794   492   NtClose  (92, ... ) == 0x0
 00795   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00796   492   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00797   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00798   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00799   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00800   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00801   492   NtClose  (92, ... ) == 0x0
 00802   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   492   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   492   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00805   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00806   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00807   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00808   492   NtClose  (92, ... ) == 0x0
 00809   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 00811   492   NtCreateKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "IEAssistant.Assistant\CLSID"}, 0, 0x0, 0, ... 88, 1, ) }, 0, 0x0, 0, ... 88, 1, ) == 0x0
 00812   492   NtClose  (92, ... ) == 0x0
 00813   492   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant\CLSID"}, 128, ) }, 128, ) == 0x0
 00814   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00815   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00816   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00817   492   NtClose  (92, ... ) == 0x0
 00818   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00819   492   NtSetValueKey  (90, 0x0, 0, 1,  (90, 0x0, 0, 1, "{\0B\00\08\0D\03\02\0D\0E\0-\06\04\0B\02\0-\04\01\03\07\0-\08\03\04\05\0-\08\07\02\09\03\0E\07\00\0D\04\00\0B\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 00820   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00821   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00822   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00823   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00824   492   NtClose  (92, ... ) == 0x0
 00825   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   492   NtOpenKey  (0x2001f, {24, 82, 0x40, 0, 0,  (0x2001f, {24, 82, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00827   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00828   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00829   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00830   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00831   492   NtClose  (92, ... ) == 0x0
 00832   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00833   492   NtOpenKey  (0x20019, {24, 82, 0x40, 0, 0,  (0x20019, {24, 82, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   492   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant"}, 116, ) }, 116, ) == 0x0
 00835   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00836   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00837   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00838   492   NtClose  (92, ... ) == 0x0
 00839   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00840   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 00841   492   NtCreateKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "IEAssistant.Assistant\CurVer"}, 0, 0x0, 0, ... 84, 1, ) }, 0, 0x0, 0, ... 84, 1, ) == 0x0
 00842   492   NtClose  (92, ... ) == 0x0
 00843   492   NtClose  (90, ... ) == 0x0
 00844   492   NtQueryKey  (86, Name, 392, ... {Name= (86, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\IEAssistant.Assistant\CurVer9"}, 130, ) }, 130, ) == 0x0
 00845   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00846   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 88, ) == 0x0
 00847   492   NtQueryInformationToken  (88, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00848   492   NtClose  (88, ... ) == 0x0
 00849   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\IEAssistant.Assistant\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00850   492   NtSetValueKey  (86, 0x0, 0, 1,  (86, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\01\0\0\0", 48, ... ) , 48, ... ) == 0x0
 00851   492   NtClose  (86, ... ) == 0x0
 00852   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00853   492   NtOpenKey  (0x2001f, {24, 70, 0x40, 0, 0,  (0x2001f, {24, 70, 0x40, 0, 0, "CLSID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID"}, ... 84, ) }, ... 84, ) == 0x0
 00855   492   NtClose  (82, ... ) == 0x0
 00856   492   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00857   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00858   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00859   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00860   492   NtClose  (80, ... ) == 0x0
 00861   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00862   492   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00863   492   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00864   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00865   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00866   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00867   492   NtClose  (80, ... ) == 0x0
 00868   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   492   NtOpenKey  (0x2001f, {24, 86, 0x40, 0, 0,  (0x2001f, {24, 86, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   492   NtQueryKey  (86, Name, 384, ... {Name= (86, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00871   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00872   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00873   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00874   492   NtClose  (80, ... ) == 0x0
 00875   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00876   492   NtOpenKey  (0x20019, {24, 86, 0x40, 0, 0,  (0x20019, {24, 86, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00877   492   NtQueryKey  (86, Name, 382, ... {Name= (86, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID"}, 84, ) }, 84, ) == 0x0
 00878   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00879   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00880   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00881   492   NtClose  (80, ... ) == 0x0
 00882   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00884   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 00885   492   NtSetInformationFile  (-2147482808, -136379356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00886   492   NtSetInformationFile  (-2147482808, -136379460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00887   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00884   492   NtCreateKey  ... 88, 1, ) == 0x0
 00888   492   NtClose  (80, ... ) == 0x0
 00889   492   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00890   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00891   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00892   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00893   492   NtClose  (80, ... ) == 0x0
 00894   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   492   NtSetValueKey  (90, 0x0, 0, 1,  (90, 0x0, 0, 1, "A\0s\0s\0i\0s\0t\0a\0n\0t\0 \0C\0l\0a\0s\0s\0\0\0", 32, ... ) , 32, ... ) == 0x0
 00896   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00897   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00898   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00899   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00900   492   NtClose  (80, ... ) == 0x0
 00901   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00904   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00905   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00906   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00907   492   NtClose  (80, ... ) == 0x0
 00908   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   492   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   492   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00911   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00912   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00913   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00914   492   NtClose  (80, ... ) == 0x0
 00915   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00917   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 00918   492   NtClose  (80, ... ) == 0x0
 00919   492   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, 176, ) }, 176, ) == 0x0
 00920   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00921   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00922   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00923   492   NtClose  (80, ... ) == 0x0
 00924   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\ProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   492   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\01\0\0\0", 48, ... ) , 48, ... ) == 0x0
 00926   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00927   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00928   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00929   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00930   492   NtClose  (80, ... ) == 0x0
 00931   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00934   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00935   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00936   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00937   492   NtClose  (80, ... ) == 0x0
 00938   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   492   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   492   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00941   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00942   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00943   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00944   492   NtClose  (80, ... ) == 0x0
 00945   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 00947   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, 0, 0x0, 0, ... 96, 1, ) }, 0, 0x0, 0, ... 96, 1, ) == 0x0
 00948   492   NtClose  (80, ... ) == 0x0
 00949   492   NtClose  (94, ... ) == 0x0
 00950   492   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, 212, ) }, 212, ) == 0x0
 00951   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00952   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00953   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00954   492   NtClose  (92, ... ) == 0x0
 00955   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\VersionIndependentProgID"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   492   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0.\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 44, ... ) , 44, ... ) == 0x0
 00957   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00958   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00959   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00960   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00961   492   NtClose  (92, ... ) == 0x0
 00962   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00965   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00966   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00967   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00968   492   NtClose  (92, ... ) == 0x0
 00969   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00972   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00973   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00974   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00975   492   NtClose  (92, ... ) == 0x0
 00976   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00977   492   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00978   492   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00979   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00980   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00981   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00982   492   NtClose  (92, ... ) == 0x0
 00983   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00984   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 00985   492   NtCreateKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\Programmable"}, 0, 0x0, 0, ... 80, 1, ) }, 0, 0x0, 0, ... 80, 1, ) == 0x0
 00986   492   NtClose  (92, ... ) == 0x0
 00987   492   NtClose  (98, ... ) == 0x0
 00988   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 162, ) }, 162, ) == 0x0
 00989   492   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00990   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00991   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00992   492   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00993   492   NtClose  (96, ... ) == 0x0
 00994   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00995   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 00997   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00998   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 00999   492   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01000   492   NtClose  (96, ... ) == 0x0
 01001   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   492   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   492   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01004   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01005   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 96, ) == 0x0
 01006   492   NtQueryInformationToken  (96, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01007   492   NtClose  (96, ... ) == 0x0
 01008   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01009   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 96, ) }, ... 96, ) == 0x0
 01010   492   NtCreateKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 01011   492   NtClose  (96, ... ) == 0x0
 01012   492   NtClose  (82, ... ) == 0x0
 01013   492   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01014   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01015   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01016   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01017   492   NtClose  (80, ... ) == 0x0
 01018   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   492   NtSetValueKey  (94, 0x0, 0, 1,  (94, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0a\0.\0d\0l\0l\0\0\0", 56, ... ) , 56, ... ) == 0x0
 01020   492   NtQueryKey  (94, Name, 392, ... {Name= (94, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, 192, ) }, 192, ) == 0x0
 01021   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01022   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01023   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01024   492   NtClose  (80, ... ) == 0x0
 01025   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   492   NtSetValueKey  (94,  (94, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 0, 1,  (94, "ThreadingModel", 0, 1, "A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0", 20, ... ) , 20, ... ) == 0x0
 01027   492   NtQueryKey  (90, Name, 392, ... {Name= (90, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01028   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01029   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01030   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01031   492   NtClose  (80, ... ) == 0x0
 01032   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   492   NtSetValueKey  (90,  (90, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 0, 1,  (90, "AppID", 0, 1, "{\0B\0D\04\0B\0A\0F\0B\03\0-\03\0E\03\08\0-\04\06\06\08\0-\08\0E\0C\05\0-\0A\0E\00\01\01\08\05\06\00\0A\0C\05\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01034   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01035   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01036   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01037   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01038   492   NtClose  (80, ... ) == 0x0
 01039   492   NtOpenKey  (0x2001f, {24, 0, 0x40, 0, 0,  (0x2001f, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01040   492   NtOpenKey  (0x2001f, {24, 90, 0x40, 0, 0,  (0x2001f, {24, 90, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01041   492   NtQueryKey  (90, Name, 384, ... {Name= (90, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01042   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01043   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01044   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01045   492   NtClose  (80, ... ) == 0x0
 01046   492   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01047   492   NtOpenKey  (0x20019, {24, 90, 0x40, 0, 0,  (0x20019, {24, 90, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01048   492   NtQueryKey  (90, Name, 382, ... {Name= (90, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}_"}, 162, ) }, 162, ) == 0x0
 01049   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01050   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 01051   492   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01052   492   NtClose  (80, ... ) == 0x0
 01053   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01054   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 80, ) }, ... 80, ) == 0x0
 01055   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01056   492   NtSetInformationFile  (-2147482808, -136379584, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01055   492   NtCreateKey  ... 96, 1, ) == 0x0
 01057   492   NtClose  (80, ... ) == 0x0
 01058   492   NtClose  (94, ... ) == 0x0
 01059   492   NtQueryKey  (98, Name, 392, ... {Name= (98, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib\"}, 178, ) }, 178, ) == 0x0
 01060   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01061   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01062   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01063   492   NtClose  (92, ... ) == 0x0
 01064   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{B08D32DE-64B2-4137-8345-87293E70D40B}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01065   492   NtSetValueKey  (98, 0x0, 0, 1,  (98, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01066   492   NtClose  (98, ... ) == 0x0
 01067   492   NtClose  (90, ... ) == 0x0
 01068   492   NtClose  (86, ... ) == 0x0
 01069   492   NtOpenKey  (0x2001f, {24, 48, 0x40, 0, 0,  (0x2001f, {24, 48, 0x40, 0, 0, "SOFTWARE"}, ... 84, ) }, ... 84, ) == 0x0
 01070   492   NtOpenKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "Microsoft"}, ... 88, ) }, ... 88, ) == 0x0
 01071   492   NtOpenKey  (0x2001f, {24, 88, 0x40, 0, 0,  (0x2001f, {24, 88, 0x40, 0, 0, "Windows"}, ... 96, ) }, ... 96, ) == 0x0
 01072   492   NtOpenKey  (0x2001f, {24, 96, 0x40, 0, 0,  (0x2001f, {24, 96, 0x40, 0, 0, "CurrentVersion"}, ... 92, ) }, ... 92, ) == 0x0
 01073   492   NtOpenKey  (0x2001f, {24, 92, 0x40, 0, 0,  (0x2001f, {24, 92, 0x40, 0, 0, "Explorer"}, ... 80, ) }, ... 80, ) == 0x0
 01074   492   NtOpenKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "Browser Helper Objects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   492   NtOpenKey  (0x20019, {24, 80, 0x40, 0, 0,  (0x20019, {24, 80, 0x40, 0, 0, "Browser Helper Objects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01076   492   NtCreateKey  (0x2001f, {24, 80, 0x40, 0, 0,  (0x2001f, {24, 80, 0x40, 0, 0, "Browser Helper Objects"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01077   492   NtSetInformationFile  (-2147482808, -136379356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01078   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01076   492   NtCreateKey  ... 100, 1, ) == 0x0
 01079   492   NtOpenKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01080   492   NtOpenKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081   492   NtOpenKey  (0x20019, {24, 100, 0x40, 0, 0,  (0x20019, {24, 100, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01082   492   NtCreateKey  (0x2001f, {24, 100, 0x40, 0, 0,  (0x2001f, {24, 100, 0x40, 0, 0, "{B08D32DE-64B2-4137-8345-87293E70D40B}"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01083   492   NtSetValueKey  (104, 0x0, 0, 1,  (104, 0x0, 0, 1, "I\0E\0 \0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 26, ... ) , 26, ... ) == 0x0
 01084   492   NtClose  (104, ... ) == 0x0
 01085   492   NtClose  (100, ... ) == 0x0
 01086   492   NtClose  (80, ... ) == 0x0
 01087   492   NtClose  (92, ... ) == 0x0
 01088   492   NtClose  (96, ... ) == 0x0
 01089   492   NtClose  (88, ... ) == 0x0
 01090   492   NtClose  (84, ... ) == 0x0
 01091   492   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242728,  (0x80100080, {24, 0, 0x40, 0, 1242728, "\??\C:\WINDOWS\System32\iea.dll"}, 0x0, 0, 1, 1, 2144, 0, 0, ... 84, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2144, 0, 0, ... 84, {status=0x0, info=1}, ) == 0x0
 01092   492   NtQueryInformationFile  (84, 1242768, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01093   492   NtSetInformationFile  (84, 1242768, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01094   492   NtReadFile  (84, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (84, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\370\0\0\0", ) , ) == 0x0
 01095   492   NtSetInformationFile  (84, 1242768, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01096   492   NtSetInformationFile  (84, 1242364, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01097   492   NtReadFile  (84, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (84, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "PE\0\0", ) , ) == 0x0
 01098   492   NtReadFile  (84, 0, 0, 0, 20, 0x0, 0, ... {status=0x0, info=20},  (84, 0, 0, 0, 20, 0x0, 0, ... {status=0x0, info=20}, "L\1\7\0\277_(F\0\0\0\0\0\0\0\0\340\0\16!", ) , ) == 0x0
 01099   492   NtQueryInformationFile  (84, 1242364, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01100   492   NtSetInformationFile  (84, 1242364, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01101   492   NtReadFile  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".text\0\0\0\0\240\1\0\0\20\0\0\0\340\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01102   492   NtReadFile  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rdata\0\0\0p\0\0\0\260\1\0\0p\0\0\0\346\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01103   492   NtReadFile  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".data\0\0\0\0`\0\0\0 \2\0\0\12\0\0\0V\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01104   492   NtReadFile  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40},  (84, 0, 0, 0, 40, 0x0, 0, ... {status=0x0, info=40}, ".rsrc\0\0\0\0 \0\0\0\200\2\0\0\22\0\0\0`\1\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\300", ) , ) == 0x0
 01105   492   NtQueryInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01106   492   NtSetInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01107   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01108   492   NtReadFile  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\2\0\2\0", ) , ) == 0x0
 01109   492   NtReadFile  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "`\1\0\2000\0\0\200", ) , ) == 0x0
 01110   492   NtQueryInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01111   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01112   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01113   492   NtReadFile  (84, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (84, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "\10\0", ) , ) == 0x0
 01114   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01115   492   NtReadFile  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "r\1\0\200P\0\0\200", ) , ) == 0x0
 01116   492   NtQueryInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01117   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01118   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01119   492   NtReadFile  (84, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2},  (84, 0, 0, 0, 2, 0x0, 0, ... {status=0x0, info=2}, "\7\0", ) , ) == 0x0
 01120   492   NtReadFile  (84, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14},  (84, 0, 0, 0, 14, 0x0, 0, ... {status=0x0, info=14}, "T\0Y\0P\0E\0L\0I\0B\0", ) , ) == 0x0
 01121   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01122   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01123   492   NtQueryInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01124   492   NtSetInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01125   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01126   492   NtReadFile  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0", ) , ) == 0x0
 01127   492   NtQueryInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01128   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01129   492   NtReadFile  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "\1\0\0\0\310\0\0\200", ) , ) == 0x0
 01130   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01131   492   NtQueryInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=8}, ) == 0x0
 01132   492   NtSetInformationFile  (84, 1242036, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01133   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01134   492   NtReadFile  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0", ) , ) == 0x0
 01135   492   NtReadFile  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8},  (84, 0, 0, 0, 8, 0x0, 0, ... {status=0x0, info=8}, "\11\4\0\00\1\0\0", ) , ) == 0x0
 01136   492   NtSetInformationFile  (84, 1242032, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01137   492   NtSetInformationFile  (84, 1242364, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 01138   492   NtReadFile  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16},  (84, 0, 0, 0, 16, 0x0, 0, ... {status=0x0, info=16}, "\340\211\2\0l\7\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01139   492   NtQueryInformationFile  (84, 1242716, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01140   492   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 84, ... 88, ) == 0x0
 01141   492   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01142   492   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01143   492   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {65536, 0}, 29004, 1, 0, 2, ... (0x3b0000), {65536, 0}, 32768, ) == 0x0
 01144   492   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   492   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01146   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01147   492   NtOpenKey  (0x2000000, {24, 70, 0x40, 0, 0,  (0x2000000, {24, 70, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\TypeLib"}, ... 96, ) }, ... 96, ) == 0x0
 01149   492   NtQueryKey  (98, Name, 384, ... {Name= (98, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib"}, 88, ) }, 88, ) == 0x0
 01150   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01152   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   492   NtClose  (92, ... ) == 0x0
 01154   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   492   NtOpenKey  (0x2000000, {24, 98, 0x40, 0, 0,  (0x2000000, {24, 98, 0x40, 0, 0, "{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   492   NtQueryKey  (98, Name, 382, ... {Name= (98, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib"}, 88, ) }, 88, ) == 0x0
 01157   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01158   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01159   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01160   492   NtClose  (92, ... ) == 0x0
 01161   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 01163   492   NtCreateKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01164   492   NtSetInformationFile  (-2147482808, -136379356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01165   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01163   492   NtCreateKey  ... 80, 1, ) == 0x0
 01166   492   NtClose  (92, ... ) == 0x0
 01167   492   NtQueryKey  (82, Name, 384, ... {Name= (82, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}l"}, 166, ) }, 166, ) == 0x0
 01168   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01169   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01170   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01171   492   NtClose  (92, ... ) == 0x0
 01172   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   492   NtOpenKey  (0x2000000, {24, 82, 0x40, 0, 0,  (0x2000000, {24, 82, 0x40, 0, 0, "1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   492   NtQueryKey  (82, Name, 382, ... {Name= (82, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}l"}, 166, ) }, 166, ) == 0x0
 01175   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01176   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01177   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01178   492   NtClose  (92, ... ) == 0x0
 01179   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 01181   492   NtCreateKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, 0, 0x0, 0, ... 100, 1, ) }, 0, 0x0, 0, ... 100, 1, ) == 0x0
 01182   492   NtClose  (92, ... ) == 0x0
 01183   492   NtQueryKey  (102, Name, 392, ... {Name= (102, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01184   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01185   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01186   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01187   492   NtClose  (92, ... ) == 0x0
 01188   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   492   NtQueryValueKey  (102, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   492   NtQueryKey  (102, Name, 392, ... {Name= (102, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01191   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01192   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01193   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01194   492   NtClose  (92, ... ) == 0x0
 01195   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01196   492   NtSetValueKey  (102, 0x0, 0, 1,  (102, 0x0, 0, 1, "I\0E\0A\0s\0s\0i\0s\0t\0a\0n\0t\0 \01\0.\00\0 \0T\0y\0p\0e\0 \0L\0i\0b\0r\0a\0r\0y\0\0\0", 58, ... ) , 58, ... ) == 0x0
 01197   492   NtQueryKey  (102, Name, 384, ... {Name= (102, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01198   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01199   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01200   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01201   492   NtClose  (92, ... ) == 0x0
 01202   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01203   492   NtOpenKey  (0x2000000, {24, 102, 0x40, 0, 0,  (0x2000000, {24, 102, 0x40, 0, 0, "FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   492   NtQueryKey  (102, Name, 382, ... {Name= (102, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01205   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01206   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01207   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01208   492   NtClose  (92, ... ) == 0x0
 01209   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 92, ) }, ... 92, ) == 0x0
 01211   492   NtCreateKey  (0x2000000, {24, 92, 0x40, 0, 0,  (0x2000000, {24, 92, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01212   492   NtClose  (92, ... ) == 0x0
 01213   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGSe"}, 186, ) }, 186, ) == 0x0
 01214   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01215   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01216   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01217   492   NtClose  (92, ... ) == 0x0
 01218   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   492   NtQueryValueKey  (106, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGSe"}, 186, ) }, 186, ) == 0x0
 01221   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01222   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 01223   492   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01224   492   NtClose  (92, ... ) == 0x0
 01225   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\FLAGS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   492   NtSetValueKey  (106, 0x0, 0, 1,  (106, 0x0, 0, 1, "0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01227   492   NtClose  (106, ... ) == 0x0
 01228   492   NtQueryKey  (102, Name, 384, ... {Name= (102, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01229   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01230   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01231   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01232   492   NtClose  (104, ... ) == 0x0
 01233   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   492   NtOpenKey  (0x2000000, {24, 102, 0x40, 0, 0,  (0x2000000, {24, 102, 0x40, 0, 0, "0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   492   NtQueryKey  (102, Name, 382, ... {Name= (102, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01236   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01237   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01238   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01239   492   NtClose  (104, ... ) == 0x0
 01240   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01242   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0"}, 0, 0x0, 0, ... 92, 1, ) }, 0, 0x0, 0, ... 92, 1, ) == 0x0
 01243   492   NtClose  (104, ... ) == 0x0
 01244   492   NtQueryKey  (94, Name, 384, ... {Name= (94, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\"}, 178, ) }, 178, ) == 0x0
 01245   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01246   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01247   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01248   492   NtClose  (104, ... ) == 0x0
 01249   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   492   NtOpenKey  (0x2000000, {24, 94, 0x40, 0, 0,  (0x2000000, {24, 94, 0x40, 0, 0, "win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   492   NtQueryKey  (94, Name, 382, ... {Name= (94, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\"}, 178, ) }, 178, ) == 0x0
 01252   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01253   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01254   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01255   492   NtClose  (104, ... ) == 0x0
 01256   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01257   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01258   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, 0, 0x0, 0, ... 108, 1, ) }, 0, 0x0, 0, ... 108, 1, ) == 0x0
 01259   492   NtClose  (104, ... ) == 0x0
 01260   492   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32i"}, 190, ) }, 190, ) == 0x0
 01261   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01262   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01263   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01264   492   NtClose  (104, ... ) == 0x0
 01265   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01266   492   NtQueryValueKey  (110, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   492   NtQueryKey  (110, Name, 392, ... {Name= (110, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32i"}, 190, ) }, 190, ) == 0x0
 01268   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01269   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01270   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01271   492   NtClose  (104, ... ) == 0x0
 01272   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\0\win32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01273   492   NtSetValueKey  (110, 0x0, 0, 1,  (110, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0i\0e\0a\0.\0d\0l\0l\0\0\0", 56, ... ) , 56, ... ) == 0x0
 01274   492   NtQueryKey  (102, Name, 384, ... {Name= (102, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01275   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01276   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01277   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01278   492   NtClose  (104, ... ) == 0x0
 01279   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01280   492   NtOpenKey  (0x2000000, {24, 102, 0x40, 0, 0,  (0x2000000, {24, 102, 0x40, 0, 0, "HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   492   NtQueryKey  (102, Name, 382, ... {Name= (102, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0e"}, 174, ) }, 174, ) == 0x0
 01282   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01283   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01284   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01285   492   NtClose  (104, ... ) == 0x0
 01286   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01288   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, 0, 0x0, 0, ... 112, 1, ) }, 0, 0x0, 0, ... 112, 1, ) == 0x0
 01289   492   NtClose  (104, ... ) == 0x0
 01290   492   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIRi"}, 190, ) }, 190, ) == 0x0
 01291   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01292   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01293   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01294   492   NtClose  (104, ... ) == 0x0
 01295   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01296   492   NtQueryValueKey  (114, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01297   492   NtQueryKey  (114, Name, 392, ... {Name= (114, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIRi"}, 190, ) }, 190, ) == 0x0
 01298   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01299   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01300   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01301   492   NtClose  (104, ... ) == 0x0
 01302   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\TypeLib\{E0F73B05-A982-4B1D-85A6-95669E94E070}\1.0\HELPDIR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   492   NtSetValueKey  (114, 0x0, 0, 1,  (114, 0x0, 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0\0\0", 42, ... ) , 42, ... ) == 0x0
 01304   492   NtClose  (114, ... ) == 0x0
 01305   492   NtQueryKey  (70, Name, 384, ... {Name= (70, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01306   492   NtOpenKey  (0x2000000, {24, 70, 0x40, 0, 0,  (0x2000000, {24, 70, 0x40, 0, 0, "Interface"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 112, ) }, ... 112, ) == 0x0
 01308   492   NtQueryKey  (114, Name, 384, ... {Name= (114, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01309   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01310   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01311   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01312   492   NtClose  (104, ... ) == 0x0
 01313   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01314   492   NtOpenKey  (0x2000000, {24, 114, 0x40, 0, 0,  (0x2000000, {24, 114, 0x40, 0, 0, "{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   492   NtQueryKey  (114, Name, 382, ... {Name= (114, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01316   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01317   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01318   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01319   492   NtClose  (104, ... ) == 0x0
 01320   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01321   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01322   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01323   492   NtSetInformationFile  (-2147482808, -136379356, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01324   492   NtSetInformationFile  (-2147482808, -136379460, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01325   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01322   492   NtCreateKey  ... 116, 1, ) == 0x0
 01326   492   NtClose  (104, ... ) == 0x0
 01327   492   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01328   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01329   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01330   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01331   492   NtClose  (104, ... ) == 0x0
 01332   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01333   492   NtQueryValueKey  (118, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   492   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01335   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01336   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01337   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01338   492   NtClose  (104, ... ) == 0x0
 01339   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01340   492   NtSetValueKey  (118, 0x0, 0, 1,  (118, 0x0, 0, 1, "_\0I\0A\0s\0s\0i\0s\0t\0a\0n\0t\0E\0v\0e\0n\0t\0s\0\0\0", 36, ... ) , 36, ... ) == 0x0
 01341   492   NtQueryKey  (118, Name, 384, ... {Name= (118, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01342   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01343   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01344   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01345   492   NtClose  (104, ... ) == 0x0
 01346   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01347   492   NtOpenKey  (0x2000000, {24, 118, 0x40, 0, 0,  (0x2000000, {24, 118, 0x40, 0, 0, "ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01348   492   NtQueryKey  (118, Name, 382, ... {Name= (118, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01349   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01350   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01351   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01352   492   NtClose  (104, ... ) == 0x0
 01353   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01354   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01355   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 0, 0x0, 0, ... 120, 1, ) }, 0, 0x0, 0, ... 120, 1, ) == 0x0
 01356   492   NtClose  (104, ... ) == 0x0
 01357   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01358   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01359   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01360   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01361   492   NtClose  (104, ... ) == 0x0
 01362   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363   492   NtQueryValueKey  (122, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01364   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01365   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01366   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01367   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01368   492   NtClose  (104, ... ) == 0x0
 01369   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   492   NtSetValueKey  (122, 0x0, 0, 1,  (122, 0x0, 0, 1, "{\00\00\00\02\00\04\02\00\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01371   492   NtClose  (122, ... ) == 0x0
 01372   492   NtQueryKey  (118, Name, 384, ... {Name= (118, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01373   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01374   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01375   492   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01376   492   NtClose  (120, ... ) == 0x0
 01377   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01378   492   NtOpenKey  (0x2000000, {24, 118, 0x40, 0, 0,  (0x2000000, {24, 118, 0x40, 0, 0, "ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   492   NtQueryKey  (118, Name, 382, ... {Name= (118, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01380   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01381   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01382   492   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01383   492   NtClose  (120, ... ) == 0x0
 01384   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01385   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 120, ) }, ... 120, ) == 0x0
 01386   492   NtCreateKey  (0x2000000, {24, 120, 0x40, 0, 0,  (0x2000000, {24, 120, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01387   492   NtClose  (120, ... ) == 0x0
 01388   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01389   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01390   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01391   492   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01392   492   NtClose  (120, ... ) == 0x0
 01393   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   492   NtQueryValueKey  (106, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01395   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01396   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01397   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 120, ) == 0x0
 01398   492   NtQueryInformationToken  (120, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01399   492   NtClose  (120, ... ) == 0x0
 01400   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   492   NtSetValueKey  (106, 0x0, 0, 1,  (106, 0x0, 0, 1, "{\00\00\00\02\00\04\02\00\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01402   492   NtClose  (106, ... ) == 0x0
 01403   492   NtQueryKey  (118, Name, 384, ... {Name= (118, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01404   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01405   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01406   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01407   492   NtClose  (104, ... ) == 0x0
 01408   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   492   NtOpenKey  (0x2000000, {24, 118, 0x40, 0, 0,  (0x2000000, {24, 118, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01410   492   NtQueryKey  (118, Name, 382, ... {Name= (118, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}s"}, 170, ) }, 170, ) == 0x0
 01411   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01412   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01413   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01414   492   NtClose  (104, ... ) == 0x0
 01415   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01417   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, 0, 0x0, 0, ... 120, 1, ) }, 0, 0x0, 0, ... 120, 1, ) == 0x0
 01418   492   NtClose  (104, ... ) == 0x0
 01419   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01420   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01421   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01422   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01423   492   NtClose  (104, ... ) == 0x0
 01424   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01425   492   NtQueryValueKey  (122, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01427   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01428   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01429   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01430   492   NtClose  (104, ... ) == 0x0
 01431   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   492   NtSetValueKey  (122, 0x0, 0, 1,  (122, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01433   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01434   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01435   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01436   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01437   492   NtClose  (104, ... ) == 0x0
 01438   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01439   492   NtQueryValueKey  (122,  (122, "Version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01441   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01442   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01443   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01444   492   NtClose  (104, ... ) == 0x0
 01445   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{E78CBE69-59ED-4F51-93BB-7A040B5DF2DC}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   492   NtSetValueKey  (122,  (122, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 0, 1,  (122, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 8, ... ) == 0x0
 01447   492   NtClose  (122, ... ) == 0x0
 01448   492   NtClose  (118, ... ) == 0x0
 01449   492   NtQueryKey  (114, Name, 384, ... {Name= (114, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01450   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01451   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01452   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01453   492   NtClose  (116, ... ) == 0x0
 01454   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01455   492   NtOpenKey  (0x2000000, {24, 114, 0x40, 0, 0,  (0x2000000, {24, 114, 0x40, 0, 0, "{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01456   492   NtQueryKey  (114, Name, 382, ... {Name= (114, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface"}, 92, ) }, 92, ) == 0x0
 01457   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01458   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01459   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01460   492   NtClose  (116, ... ) == 0x0
 01461   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01463   492   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01464   492   NtSetInformationFile  (-2147482808, -136379452, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01463   492   NtCreateKey  ... 120, 1, ) == 0x0
 01465   492   NtClose  (116, ... ) == 0x0
 01466   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01467   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01468   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01469   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01470   492   NtClose  (116, ... ) == 0x0
 01471   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   492   NtQueryValueKey  (122, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   492   NtQueryKey  (122, Name, 392, ... {Name= (122, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01474   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01475   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01476   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01477   492   NtClose  (116, ... ) == 0x0
 01478   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01479   492   NtSetValueKey  (122, 0x0, 0, 1,  (122, 0x0, 0, 1, "I\0A\0s\0s\0i\0s\0t\0a\0n\0t\0\0\0", 22, ... ) , 22, ... ) == 0x0
 01480   492   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01481   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01482   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01483   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01484   492   NtClose  (116, ... ) == 0x0
 01485   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01486   492   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   492   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01488   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01489   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01490   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01491   492   NtClose  (116, ... ) == 0x0
 01492   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01494   492   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01495   492   NtClose  (116, ... ) == 0x0
 01496   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01497   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01498   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01499   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01500   492   NtClose  (116, ... ) == 0x0
 01501   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   492   NtQueryValueKey  (106, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, 200, ) }, 200, ) == 0x0
 01504   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01505   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01506   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01507   492   NtClose  (116, ... ) == 0x0
 01508   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   492   NtSetValueKey  (106, 0x0, 0, 1,  (106, 0x0, 0, 1, "{\00\00\00\02\00\04\02\04\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01510   492   NtClose  (106, ... ) == 0x0
 01511   492   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01512   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01513   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01514   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01515   492   NtClose  (104, ... ) == 0x0
 01516   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   492   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518   492   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01519   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01520   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01521   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01522   492   NtClose  (104, ... ) == 0x0
 01523   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01524   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 104, ) }, ... 104, ) == 0x0
 01525   492   NtCreateKey  (0x2000000, {24, 104, 0x40, 0, 0,  (0x2000000, {24, 104, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 0, 0x0, 0, ... 116, 1, ) }, 0, 0x0, 0, ... 116, 1, ) == 0x0
 01526   492   NtClose  (104, ... ) == 0x0
 01527   492   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01528   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01529   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01530   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01531   492   NtClose  (104, ... ) == 0x0
 01532   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   492   NtQueryValueKey  (118, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   492   NtQueryKey  (118, Name, 392, ... {Name= (118, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, 204, ) }, 204, ) == 0x0
 01535   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01536   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 01537   492   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01538   492   NtClose  (104, ... ) == 0x0
 01539   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\ProxyStubClsid32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01540   492   NtSetValueKey  (118, 0x0, 0, 1,  (118, 0x0, 0, 1, "{\00\00\00\02\00\04\02\04\0-\00\00\00\00\0-\00\00\00\00\0-\0C\00\00\00\0-\00\00\00\00\00\00\00\00\00\00\04\06\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01541   492   NtClose  (118, ... ) == 0x0
 01542   492   NtQueryKey  (122, Name, 384, ... {Name= (122, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01543   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01544   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01545   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01546   492   NtClose  (116, ... ) == 0x0
 01547   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01548   492   NtOpenKey  (0x2000000, {24, 122, 0x40, 0, 0,  (0x2000000, {24, 122, 0x40, 0, 0, "TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01549   492   NtQueryKey  (122, Name, 382, ... {Name= (122, Name, 382, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}s"}, 170, ) }, 170, ) == 0x0
 01550   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01551   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01552   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01553   492   NtClose  (116, ... ) == 0x0
 01554   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01555   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 116, ) }, ... 116, ) == 0x0
 01556   492   NtCreateKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, 0, 0x0, 0, ... 104, 1, ) }, 0, 0x0, 0, ... 104, 1, ) == 0x0
 01557   492   NtClose  (116, ... ) == 0x0
 01558   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01559   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01560   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01561   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01562   492   NtClose  (116, ... ) == 0x0
 01563   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564   492   NtQueryValueKey  (106, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01566   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01567   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01568   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01569   492   NtClose  (116, ... ) == 0x0
 01570   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   492   NtSetValueKey  (106, 0x0, 0, 1,  (106, 0x0, 0, 1, "{\0E\00\0F\07\03\0B\00\05\0-\0A\09\08\02\0-\04\0B\01\0D\0-\08\05\0A\06\0-\09\05\06\06\09\0E\09\04\0E\00\07\00\0}\0\0\0", 78, ... ) , 78, ... ) == 0x0
 01572   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01573   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01574   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01575   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01576   492   NtClose  (116, ... ) == 0x0
 01577   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01578   492   NtQueryValueKey  (106,  (106, "Version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   492   NtQueryKey  (106, Name, 392, ... {Name= (106, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLibe"}, 186, ) }, 186, ) == 0x0
 01580   492   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01581   492   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 116, ) == 0x0
 01582   492   NtQueryInformationToken  (116, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01583   492   NtClose  (116, ... ) == 0x0
 01584   492   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Interface\{B04FF886-12BF-4359-A280-311A94A8663D}\TypeLib"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   492   NtSetValueKey  (106,  (106, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 0, 1,  (106, "Version", 0, 1, "1\0.\00\0\0\0", 8, ... ) , 8, ... ) == 0x0
 01586   492   NtClose  (106, ... ) == 0x0
 01587   492   NtClose  (122, ... ) == 0x0
 01588   492   NtClose  (114, ... ) == 0x0
 01589   492   NtClose  (110, ... ) == 0x0
 01590   492   NtClose  (94, ... ) == 0x0
 01591   492   NtClose  (102, ... ) == 0x0
 01592   492   NtClose  (82, ... ) == 0x0
 01593   492   NtClose  (98, ... ) == 0x0
 01594   492   NtClose  (84, ... ) == 0x0
 01595   492   NtUnmapViewOfSection  (-1, 0x3b0000, ... ) == 0x0
 01596   492   NtClose  (88, ... ) == 0x0
 01597   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 01598   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x7,}, 4, ... ) == 0x0
 01599   492   NtFreeVirtualMemory  (-1, (0x3a0000), 0, 32768, ... (0x3a0000), 65536, ) == 0x0
 01600   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc03b
 01601   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01602   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc03d
 01603   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01604   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc03f
 01605   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01606   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc041
 01607   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01608   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc043
 01609   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01610   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc045
 01611   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01612   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc047
 01613   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01614   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc049
 01615   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01616   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc04b
 01617   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01618   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc04d
 01619   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01620   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc04f
 01621   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01622   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc051
 01623   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01624   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc053
 01625   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01626   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc057
 01627   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01628   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc059
 01629   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01630   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc05b
 01631   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01632   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc05d
 01633   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01634   492   NtUserGetClassInfo  (1999896576, 1243652, 1243604, 1243680, 0, ... ) == 0xc05f
 01635   492   NtUserUnregisterClass  (1243656, 1999896576, 1243644, ... ) == 0x1
 01636   492   NtFreeVirtualMemory  (-1, (0x380000), 0, 32768, ... (0x380000), 65536, ) == 0x0
 01637   492   NtClose  (76, ... ) == 0x0
 01638   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 01639   492   NtClose  (64, ... ) == 0x0
 01640   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 01641   492   NtClose  (56, ... ) == 0x0
 01642   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 01643   492   NtUnmapViewOfSection  (-1, 0x10000000, ... ) == 0x0
 01644   492   NtUnmapViewOfSection  (-1, 0x77340000, ... ) == 0x0
 01645   492   NtUnmapViewOfSection  (-1, 0x73000000, ... ) == 0x0
 01646   492   NtUnmapViewOfSection  (-1, 0x76200000, ... ) == 0x0
 01647   492   NtUnmapViewOfSection  (-1, 0x77120000, ... ) == 0x0
 01648   492   NtUnmapViewOfSection  (-1, 0x762c0000, ... ) == 0x0
 01649   492   NtUnmapViewOfSection  (-1, 0x762a0000, ... ) == 0x0
 01650   492   NtUnmapViewOfSection  (-1, 0x771b0000, ... ) == 0x0
 01651   492   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe"}, 7, 2113568, ... 56, {status=0x0, info=1}, ) }, 7, 2113568, ... 56, {status=0x0, info=1}, ) == 0x0
 01652   492   NtQueryInformationFile  (56, 1243816, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01653   492   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 64, 0x0, ) }, 0, 0x0, 0, ... 64, 0x0, ) == 0x0
 01654   492   NtQueryValueKey  (64,  (64, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   492   NtClose  (64, ... ) == 0x0
 01656   492   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 64, 0x0, ) }, 0, 0x0, 0, ... 64, 0x0, ) == 0x0
 01657   492   NtQueryValueKey  (64,  (64, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01658   492   NtSetValueKey  (64,  (64, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 0, 7,  (64, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0u\0:\0\\0w\0o\0r\0k\0\\0p\0a\0c\0k\0e\0d\0.\0e\0x\0e\0\0\0\0\0\0\0", 50, ... , 50, ...
 01659   492   NtSetInformationFile  (-2147482844, -136378572, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01660   492   NtSetInformationFile  (-2147482844, -136378664, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01661   492   NtSetInformationFile  (-2147482844, -136379068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01658   492   NtSetValueKey  ... ) == 0x0
 01662   492   NtClose  (64, ... ) == 0x0
 01663   492   NtClose  (56, ... ) == 0x0
 01664   492   NtTerminateProcess  (0, 0, ... ) == 0x0
 01665   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc03b
 01666   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01667   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc03d
 01668   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01669   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc03f
 01670   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01671   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc041
 01672   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01673   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc043
 01674   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01675   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc045
 01676   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01677   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc047
 01678   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01679   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc049
 01680   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01681   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc04b
 01682   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01683   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc04d
 01684   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01685   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc04f
 01686   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01687   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc051
 01688   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01689   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc053
 01690   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01691   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc057
 01692   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01693   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc059
 01694   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01695   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc05b
 01696   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01697   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc05d
 01698   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01699   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc05f
 01700   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01701   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc017
 01702   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01703   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc019
 01704   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01705   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc018
 01706   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01707   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc01a
 01708   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01709   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc01c
 01710   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01711   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc01e
 01712   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01713   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc01b
 01714   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01715   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc068
 01716   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01717   492   NtUserGetClassInfo  (1905590272, 1244280, 1244232, 1244308, 0, ... ) == 0xc06a
 01718   492   NtUserUnregisterClass  (1244284, 1905590272, 1244272, ... ) == 0x1
 01719   492   NtUnmapViewOfSection  (-1, 0x390000, ... ) == 0x0
 01720   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 01721   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 01722   492   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 01723   492   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 01724   492   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 1550545519, 1801675120, 1697539173, 25976}  (24, {20, 48, new_msg, 0, 1550545519, 1801675120, 1697539173, 25976} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 476, 492, 1576, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ... {20, 48, reply, 0, 476, 492, 1576, 0}  (24, {20, 48, new_msg, 0, 1550545519, 1801675120, 1697539173, 25976} "\0\0\0\0\3\0\1\0\0\02\0P\72\0\0\0\0\0" ... {20, 48, reply, 0, 476, 492, 1576, 0} "\0\0\0\0\3\0\1\0\0\0\0\0P\72\0\0\0\0\0" )  ) == 0x0
 01725   492   NtTerminateProcess  (-1, 0, ...
 01726   492   NtClose  (40, ... ) == 0x0