Summary:


NtAccessCheck(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserQueryWindow(>)  10 
NtQueryDirectoryFile(>)  46 

NtAddAtom(>)  1 
NtQueryVirtualMemory(>)  2 
NtWriteFile(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtCallbackReturn(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtUserSystemParametersInfo(>)  11 
NtCreateSection(>)  49 

NtCreateThread(>)  1 
NtSetEvent(>)  2 
NtDuplicateObject(>)  12 
NtUserMessageCall(>)  50 

NtEnumerateValueKey(>)  1 
NtTestAlert(>)  2 
NtEnumerateKey(>)  12 
NtQueryDefaultLocale(>)  51 

NtGdiCreateBitmap(>)  1 
NtUserGetProcessWindowStation(>)  2 
NtUserGetObjectInformation(>)  12 
NtDeviceIoControlFile(>)  55 

NtGdiGetWidthTable(>)  1 
NtUserGetSystemMenu(>)  2 
NtUserSetWindowPos(>)  12 
NtOpenProcessToken(>)  56 

NtGdiInit(>)  1 
NtGdiHfontCreate(>)  3 
NtUserGetAtomName(>)  13 
NtCreateKey(>)  59 

NtGdiIntersectClipRect(>)  1 
NtUserInvalidateRect(>)  3 
NtUserRemoveProp(>)  13 
NtOpenProcessTokenEx(>)  60 

NtGdiQueryFontAssocInfo(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtUserSetWindowFNID(>)  13 
NtOpenThreadTokenEx(>)  60 

NtGdiSelectBitmap(>)  1 
NtUserShowWindow(>)  3 
NtFlushInstructionCache(>)  15 
NtUserRegisterClassExWOW(>)  64 

NtOpenKeyedEvent(>)  1 
NtCreateMutant(>)  4 
NtSetInformationThread(>)  15 
NtLockFile(>)  69 

NtQueryEvent(>)  1 
NtGdiCreateCompatibleDC(>)  4 
NtNotifyChangeKey(>)  16 
NtReleaseSemaphore(>)  69 

NtQueryInformationThread(>)  1 
NtUserCallHwndParam(>)  4 
NtUserSBGetParms(>)  17 
NtUnlockFile(>)  69 

NtQueryObject(>)  1 
NtUserMoveWindow(>)  4 
NtQuerySection(>)  18 
NtFreeVirtualMemory(>)  70 

NtQuerySystemTime(>)  1 
NtCreateSemaphore(>)  5 
NtQueryVolumeInformationFile(>)  18 
NtQueryKey(>)  77 

NtResumeThread(>)  1 
NtGdiGetStockObject(>)  5 
NtFsControlFile(>)  20 
NtReadFile(>)  80 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  5 
NtUserSetProp(>)  20 
NtMapViewOfSection(>)  81 

NtUserBuildHwndList(>)  1 
NtSetInformationObject(>)  5 
NtQueryDebugFilterState(>)  22 
NtWaitForSingleObject(>)  86 

NtUserGetGUIThreadInfo(>)  1 
NtConnectPort(>)  6 
NtUserSetWindowLong(>)  23 
NtQuerySystemInformation(>)  94 

NtUserPostMessage(>)  1 
NtOpenSymbolicLinkObject(>)  6 
NtRequestWaitReplyPort(>)  28 
NtQueryInformationFile(>)  99 

NtUserSetParent(>)  1 
NtQuerySymbolicLinkObject(>)  6 
NtUserCreateWindowEx(>)  28 
NtQueryInformationToken(>)  114 

NtAdjustPrivilegesToken(>)  2 
NtUserGetClassName(>)  6 
NtUserGetWindowDC(>)  28 
NtSetInformationProcess(>)  150 

NtClearEvent(>)  2 
NtUserGetScrollBarInfo(>)  7 
NtProtectVirtualMemory(>)  29 
NtQueryAttributesFile(>)  193 

NtContinue(>)  2 
NtUserSetScrollInfo(>)  7 
NtOpenThreadToken(>)  30 
NtQueryInformationProcess(>)  197 

NtCreateIoCompletion(>)  2 
NtOpenMutant(>)  8 
NtCreateFile(>)  31 
NtAllocateVirtualMemory(>)  209 

NtGdiCreatePatternBrushInternal(>)  2 
NtReleaseMutant(>)  9 
NtUserGetClassInfo(>)  37 
NtOpenFile(>)  211 

NtGdiCreateSolidBrush(>)  2 
NtUserCallNoParam(>)  9 
NtUserCallOneParam(>)  38 
NtOpenKey(>)  410 

NtGdiDeleteObjectApp(>)  2 
NtUserThunkedMenuItemInfo(>)  9 
NtUnmapViewOfSection(>)  39 
NtQueryValueKey(>)  415 

NtGdiGetTextCharsetInfo(>)  2 
NtOpenProcess(>)  10 
NtSetInformationFile(>)  40 
NtClose(>)  729 

NtGdiGetTextFaceW(>)  2 
NtQueryDefaultUILanguage(>)  10 
NtCreateEvent(>)  43 

NtGdiGetTextMetricsW(>)  2 
NtUserGetDC(>)  10 
NtSetValueKey(>)  43 

NtOpenDirectoryObject(>)  2 

Trace:
 00001   476   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   476   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   476   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   476   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   476   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   476   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   476   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   476   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   476   NtClose  (12, ... ) == 0x0
 00014   476   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   476   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   476   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   476   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   476   NtClose  (16, ... ) == 0x0
 00021   476   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   476   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   476   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   476   NtClose  (16, ... ) == 0x0
 00026   476   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   476   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   476   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   476   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 476, 1529, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 476, 1529, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 476, 1529, 0} "\20>\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   476   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   476   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   476   NtClose  (16, ... ) == 0x0
 00036   476   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   476   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   476   NtClose  (28, ... ) == 0x0
 00041   476   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   476   NtClose  (28, ... ) == 0x0
 00045   476   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   476   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   476   NtClose  (28, ... ) == 0x0
 00049   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   476   NtClose  (28, ... ) == 0x0
 00052   476   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 476, 1540, 0} " \245\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 464, 476, 1540, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 476, 1540, 0} " \245\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00057   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00058   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00059   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   476   NtClose  (28, ... ) == 0x0
 00062   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   476   NtClose  (28, ... ) == 0x0
 00065   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   476   NtClose  (28, ... ) == 0x0
 00068   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   476   NtClose  (28, ... ) == 0x0
 00071   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00072   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00073   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00074   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00075   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00076   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00077   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   476   NtClose  (28, ... ) == 0x0
 00080   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   476   NtClose  (28, ... ) == 0x0
 00083   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   476   NtClose  (28, ... ) == 0x0
 00086   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00087   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00088   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00089   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00091   476   NtClose  (28, ... ) == 0x0
 00092   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00093   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00094   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00095   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   476   NtClose  (28, ... ) == 0x0
 00098   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00099   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00100   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00101   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00102   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00103   476   NtClose  (28, ... ) == 0x0
 00104   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00105   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00106   476   NtClose  (28, ... ) == 0x0
 00107   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00108   476   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00109   476   NtClose  (28, ... ) == 0x0
 00110   476   NtProtectVirtualMemory  (-1, (0x40d000), 500, 4, ... (0x40d000), 4096, 2, ) == 0x0
 00111   476   NtProtectVirtualMemory  (-1, (0x40d000), 4096, 2, ... (0x40d000), 4096, 4, ) == 0x0
 00112   476   NtFlushInstructionCache  (-1, 4247552, 500, ... ) == 0x0
 00113   476   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00114   476   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00115   476   NtClose  (28, ... ) == 0x0
 00116   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00117   476   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00118   476   NtClose  (28, ... ) == 0x0
 00119   476   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00120   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00121   476   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00122   476   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00123   476   NtClose  (28, ... ) == 0x0
 00124   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00125   476   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00126   476   NtClose  (28, ... ) == 0x0
 00127   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00128   476   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00129   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00131   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\215\314\304~\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 476, 1569, 0} "XQ\26\0\0\0\0\0\0\0\0\0\215\314\304~\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 476, 1569, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\215\314\304~\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 476, 1569, 0} "XQ\26\0\0\0\0\0\0\0\0\0\215\314\304~\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00132   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00133   476   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00134   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00135   476   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00136   476   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00137   476   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00138   476   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00139   476   NtClose  (-2147482020, ... ) == 0x0
 00140   476   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00141   476   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00142   476   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00143   476   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00144   476   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   476   NtClose  (-2147482020, ... ) == 0x0
 00146   476   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00147   476   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   476   NtClose  (-2147482020, ... ) == 0x0
 00149   476   NtQueryDefaultLocale  (0, -136214004, ... ) == 0x0
 00150   476   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00151   476   NtUserCallNoParam  (24, ... ) == 0x0
 00152   476   NtGdiCreateCompatibleDC  (0, ...
 00153   476   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00152   476   NtGdiCreateCompatibleDC  ... ) == 0x10010448
 00154   476   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00155   476   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00156   476   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00157   476   NtGdiCreateSolidBrush  (0, 0, ...
 00158   476   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00157   476   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00159   476   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00160   476   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00161   476   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00162   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 00163   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00164   476   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00165   476   NtClose  (52, ... ) == 0x0
 00166   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00167   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00168   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00169   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00170   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00171   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00172   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00173   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00174   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00175   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00176   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00177   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00178   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00179   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00180   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00181   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00182   476   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00183   476   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00184   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00185   476   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00186   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00187   476   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00188   476   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00189   476   NtAllocateVirtualMemory  (-1, 5550080, 0, 4096, 4096, 32, ... 5550080, 4096, ) == 0x0
 00188   476   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00190   476   NtCallbackReturn  (0, 0, 0, ...
 00191   476   NtGdiInit  (... ) == 0x1
 00192   476   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00193   476   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00194   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00195   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8650752, 65536, ) == 0x0
 00196   476   NtAllocateVirtualMemory  (-1, 8650752, 0, 4096, 4096, 4, ... 8650752, 4096, ) == 0x0
 00197   476   NtAllocateVirtualMemory  (-1, 8654848, 0, 8192, 4096, 4, ... 8654848, 8192, ) == 0x0
 00198   476   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00199   476   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x850000), 0x0, 12288, ) == 0x0
 00200   476   NtClose  (52, ... ) == 0x0
 00201   476   NtAllocateVirtualMemory  (-1, 8663040, 0, 4096, 4096, 4, ... 8663040, 4096, ) == 0x0
 00202   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00203   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00204   476   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00205   476   NtClose  (52, ... ) == 0x0
 00206   476   NtQueryDefaultUILanguage  (1241756, ...
 00207   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00208   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00209   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00210   476   NtClose  (-2147482020, ... ) == 0x0
 00211   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00212   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00213   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00214   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00215   476   NtClose  (-2147482032, ... ) == 0x0
 00216   476   NtClose  (-2147482020, ... ) == 0x0
 00206   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00217   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   476   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00219   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00220   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00221   476   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x860000), 0x0, 8323072, ) == 0x0
 00222   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00223   476   NtQueryDefaultUILanguage  (2013024600, ...
 00224   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00225   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00226   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00227   476   NtClose  (-2147482020, ... ) == 0x0
 00228   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00229   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00231   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   476   NtClose  (-2147482032, ... ) == 0x0
 00233   476   NtClose  (-2147482020, ... ) == 0x0
 00223   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00234   476   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00235   476   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00236   476   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00237   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00238   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\275\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1570, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\275\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1570, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\275\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1570, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\0\0\0\377\377\377\377\0\0\0\0\20\311\275\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00239   476   NtClose  (52, ... ) == 0x0
 00240   476   NtClose  (56, ... ) == 0x0
 00241   476   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00242   476   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00243   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00244   476   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00245   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00246   476   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00247   476   NtClose  (56, ... ) == 0x0
 00248   476   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00249   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00250   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00251   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00253   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00254   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00255   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00256   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00257   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00258   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00259   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00260   476   NtClose  (52, ... ) == 0x0
 00261   476   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 921600, ) == 0x0
 00262   476   NtClose  (60, ... ) == 0x0
 00263   476   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00264   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00265   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00266   476   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00267   476   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00268   476   NtQueryInformationToken  (64, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00269   476   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00270   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 68, ) }, ... 68, ) == 0x0
 00271   476   NtQueryValueKey  (68,  (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (68, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00272   476   NtClose  (68, ... ) == 0x0
 00273   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00275   476   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   476   NtClose  (68, ... ) == 0x0
 00277   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   476   NtClose  (64, ... ) == 0x0
 00279   476   NtClose  (60, ... ) == 0x0
 00280   476   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00281   476   NtClose  (52, ... ) == 0x0
 00282   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00283   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00284   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00285   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00286   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00287   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00288   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00289   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00290   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00291   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00292   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00293   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00294   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00295   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00296   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00297   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00298   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00299   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00300   476   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00301   476   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00302   476   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00303   476   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00304   476   NtQueryDefaultUILanguage  (1239368, ...
 00305   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00306   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00307   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00308   476   NtClose  (-2147482020, ... ) == 0x0
 00309   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00310   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00312   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00313   476   NtClose  (-2147482032, ... ) == 0x0
 00314   476   NtClose  (-2147482020, ... ) == 0x0
 00304   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00315   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00317   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00318   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00319   476   NtClose  (52, ... ) == 0x0
 00320   476   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 4096, ) == 0x0
 00321   476   NtClose  (60, ... ) == 0x0
 00322   476   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00323   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00324   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00325   476   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00326   476   NtClose  (60, ... ) == 0x0
 00327   476   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 4096, ) == 0x0
 00328   476   NtClose  (52, ... ) == 0x0
 00329   476   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00330   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00331   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00332   476   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x860000), 0x0, 4096, ) == 0x0
 00333   476   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00334   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1571, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1571, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1571, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00336   476   NtClose  (52, ... ) == 0x0
 00337   476   NtClose  (60, ... ) == 0x0
 00338   476   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00339   476   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00340   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00341   476   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00342   476   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00343   476   NtUserGetDC  (0, ... ) == 0x1010054
 00344   476   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00345   476   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00346   476   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00347   476   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00348   476   NtAccessCheck  (1329160, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00349   476   NtClose  (60, ... ) == 0x0
 00350   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00351   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00352   476   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00353   476   NtClose  (60, ... ) == 0x0
 00354   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00355   476   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00356   476   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00357   476   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00358   476   NtClose  (52, ... ) == 0x0
 00359   476   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00360   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00361   476   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00362   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00363   476   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   476   NtClose  (64, ... ) == 0x0
 00365   476   NtClose  (52, ... ) == 0x0
 00366   476   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00367   476   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00368   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00369   476   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00370   476   NtClose  (52, ... ) == 0x0
 00371   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00372   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03b
 00373   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03d
 00374   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00375   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc03f
 00376   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00377   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc041
 00378   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00379   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc043
 00380   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc045
 00381   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00382   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc047
 00383   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00384   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc049
 00385   476   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00386   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00387   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04b
 00388   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00389   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04d
 00390   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00391   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04f
 00392   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc051
 00393   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00394   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc053
 00395   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00396   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc055
 00397   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc057
 00398   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00399   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc059
 00400   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00401   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05b
 00402   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00403   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05d
 00404   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00405   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05f
 00406   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00407   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc017
 00408   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00409   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc019
 00410   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00411   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc018
 00412   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00413   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01a
 00414   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00415   476   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc01c
 00416   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00417   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01e
 00418   476   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00419   476   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810cc01b
 00420   476   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00421   476   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810cc068
 00422   476   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00423   476   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00424   476   NtAllocateVirtualMemory  (-1, 5554176, 0, 4096, 4096, 32, ... 5554176, 4096, ) == 0x0
 00423   476   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00425   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00426   476   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00427   476   NtClose  (52, ... ) == 0x0
 00428   476   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 52, ) == 0x0
 00429   476   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00430   476   NtClose  (52, ... ) == 0x0
 00431   476   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00432   476   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00433   476   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00434   476   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00435   476   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00436   476   NtClose  (52, ... ) == 0x0
 00437   476   NtUserSystemParametersInfo  (41, 500, 1241332, 0, ... ) == 0x1
 00438   476   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00439   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00440   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00441   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03b
 00442   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00443   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03d
 00444   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00445   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00446   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc03f
 00447   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00448   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00449   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc041
 00450   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00451   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00452   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc043
 00453   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00454   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc045
 00455   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00456   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00457   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc047
 00458   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00459   476   NtUserFindExistingCursorIcon  (1241120, 1241136, 1241704, ... ) == 0x10011
 00460   476   NtUserRegisterClassExWOW  (1241572, 1241652, 1241636, 1241668, 0, 384, 0, ... ) == 0x810cc049
 00461   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00462   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00463   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04b
 00464   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00465   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00466   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04d
 00467   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00468   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00469   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc04f
 00470   476   NtUserGetClassInfo  (1999896576, 1241744, 1241696, 1241772, 0, ... ) == 0x0
 00471   476   NtUserRegisterClassExWOW  (1241580, 1241660, 1241644, 1241676, 0, 384, 0, ... ) == 0x810cc051
 00472   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00473   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00474   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc053
 00475   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00476   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00477   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc055
 00478   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc057
 00479   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00480   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00481   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc059
 00482   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00483   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10013
 00484   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05b
 00485   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00486   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00487   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05d
 00488   476   NtUserGetClassInfo  (1999896576, 1241740, 1241692, 1241768, 0, ... ) == 0x0
 00489   476   NtUserFindExistingCursorIcon  (1241124, 1241140, 1241708, ... ) == 0x10011
 00490   476   NtUserRegisterClassExWOW  (1241576, 1241656, 1241640, 1241672, 0, 384, 0, ... ) == 0x810cc05f
 00491   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03b
 00492   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03d
 00493   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc03f
 00494   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc041
 00495   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc043
 00496   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc045
 00497   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc047
 00498   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc049
 00499   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04b
 00500   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04d
 00501   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc04f
 00502   476   NtUserGetClassInfo  (1999896576, 1243496, 1243448, 1243524, 0, ... ) == 0xc051
 00503   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc053
 00504   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc055
 00505   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc059
 00506   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05b
 00507   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05d
 00508   476   NtUserGetClassInfo  (1999896576, 1243492, 1243444, 1243520, 0, ... ) == 0xc05f
 00509   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00510   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00511   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00512   476   NtQueryValueKey  (52,  (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00513   476   NtClose  (52, ... ) == 0x0
 00514   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00515   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00516   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00517   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00518   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 52, ) }, ... 52, ) == 0x0
 00519   476   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   476   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00521   476   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   476   NtClose  (52, ... ) == 0x0
 00523   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 52, ) }, ... 52, ) == 0x0
 00524   476   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525   476   NtQueryValueKey  (52,  (52, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526   476   NtClose  (52, ... ) == 0x0
 00527   476   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00528   476   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529   476   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00530   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00531   476   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00532   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   476   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00535   476   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00536   476   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00537   476   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00538   476   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00539   476   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00540   476   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00541   476   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00542   476   NtQueryDefaultUILanguage  (1241768, ...
 00543   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00544   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00545   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00546   476   NtClose  (-2147482020, ... ) == 0x0
 00547   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00548   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00550   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551   476   NtClose  (-2147482032, ... ) == 0x0
 00552   476   NtClose  (-2147482020, ... ) == 0x0
 00542   476   NtQueryDefaultUILanguage  ... ) == 0x0
 00553   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00555   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00556   476   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 593920, ) == 0x0
 00557   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00558   476   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00559   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00560   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1H\0\0\0\377\377\377\377\0\0\0\0P\275\217\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1572, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1H\0\0\0\377\377\377\377\0\0\0\0P\275\217\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1572, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1H\0\0\0\377\377\377\377\0\0\0\0P\275\217\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1572, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1H\0\0\0\377\377\377\377\0\0\0\0P\275\217\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00561   476   NtClose  (72, ... ) == 0x0
 00562   476   NtClose  (76, ... ) == 0x0
 00563   476   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00564   476   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00565   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00566   476   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00567   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00568   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00569   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00570   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00571   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00572   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00573   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00574   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00575   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00576   476   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00577   476   NtTestAlert  (... ) == 0x0
 00578   476   NtContinue  (1244464, 1, ...
 00579   476   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40ada0,}, 4, ... ) == 0x0
 00580   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1242040, ... ) }, 1242040, ... ) == 0x0
 00581   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00582   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 84, ) == 0x0
 00583   476   NtClose  (80, ... ) == 0x0
 00584   476   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 262144, ) == 0x0
 00585   476   NtClose  (84, ... ) == 0x0
 00586   476   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00587   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00589   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00590   476   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00591   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 84, {status=0x0, info=0}, ) }, 7, 16, ... 84, {status=0x0, info=0}, ) == 0x0
 00592   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\251m\220:\271\10\35)\252\206\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00593   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00594   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00595   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00596   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00597   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00598   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00599   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00600   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00601   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\342p\313R\250\272\27\357\33\343&\1\6~.H\342\274=\233\245\17\307\214Ks<\34\20101\340\247\241\272a\355,\263\334\205I~C>\303];\327O\222\277\10L1\310.~\243gs\377\203Z\330\262\33\30\212\23\264\315\3532#\343\270\24\232", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\342p\313R\250\272\27\357\33\343&\1\6~.H\342\274=\233\245\17\307\214Ks<\34\20101\340\247\241\272a\355,\263\334\205I~C>\303];\327O\222\277\10L1\310.~\243gs\377\203Z\330\262\33\30\212\23\264\315\3532#\343\270\24\232", 80, ... ) , 80, ... ) == 0x0
 00602   476   NtClose  (-2147482020, ... ) == 0x0
 00592   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\235\246\246\244\264\301\263\317\234\272\302\330%\361\326J;\373\3712\226\365\276\344Zo\5m\11m\276\273$\353LL\331\372\276s\253\2527X\3315i\363\235\377\22\372\325\25\33u\346d\20\313\6\275\10F\242P\264\366\236\334k\335k\235\322Kp\330\256T\4\275\336"\374\254,\31\310\14\233\201\344\307,\311\354\326\263w\221q\336\351\223 \273\4\366\352`?\242G<$\210|\271<\2279c\37On\364\316A\375\317\240\4\271\203\236\323\240\327U\323C\362u\244\111\32\372\32\204\265-CIt\17\2\356\324)~K \304\251H\333\34\212c\223\360cup\376\317\304;M\305'\271\213\10\240c~s\350\24\5\364_\247\\372\200\274P\324\260\230pe\1\364\30@\3029p\303\2355\233S\372\304~\33\15\33\212\10-\20\260>\245\307\271T\273j\246#\244\327\262}T\242\361g8\345\326\251b_\343n\", ) \374\254,\31\310\14\233\201\344\307,\311\354\326\263w\221q\336\351\223 \273\4\366\352`?\242G<$\210|\271<\2279c\37On\364\316A\375\317\240\4\271\203\236\323\240\327U\323C\362u\244\111\32\372\32\204\265-CIt\17\2\356\324)~K \304\251H\333\34\212c\223\360cup\376\317\304;M\305'\271\213\10\240c~s\350\24\5\364_\247\\372\200\274P\324\260\230pe\1\364\30@\3029p\303\2355\233S\372\304~\33\15\33\212\10-\20\260>\245\307\271T\273j\246#\244\327\262}T\242\361g8\345\326\251b_\343n\", ) == 0x0
 00603   476   NtAllocateVirtualMemory  (-1, 1359872, 0, 16384, 4096, 4, ... 1359872, 16384, ) == 0x0
 00604   476   NtUserRegisterClassExWOW  (1244124, 1244204, 1244188, 1244220, 0, 384, 0, ... ) == 0x810cc038
 00605   476   NtUserGetAtomName  (49208, 1242888, ... ) == 0x15
 00606   476   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00607   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240412, ... ) }, 1240412, ... ) == 0x0
 00608   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00609   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 88, ) == 0x0
 00610   476   NtClose  (80, ... ) == 0x0
 00611   476   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 204800, ) == 0x0
 00612   476   NtClose  (88, ... ) == 0x0
 00613   476   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00614   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240728, ... ) }, 1240728, ... ) == 0x0
 00615   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00616   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 80, ) == 0x0
 00617   476   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00618   476   NtClose  (88, ... ) == 0x0
 00619   476   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00620   476   NtClose  (80, ... ) == 0x0
 00621   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00622   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00623   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00624   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00625   476   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00626   476   NtClose  (80, ... ) == 0x0
 00627   476   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00628   476   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 88, ) }, ... 88, ) == 0x0
 00629   476   NtQueryValueKey  (88,  (88, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630   476   NtClose  (88, ... ) == 0x0
 00631   476   NtClose  (80, ... ) == 0x0
 00632   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00633   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 80, ) == 0x0
 00634   476   NtQueryInformationToken  (80, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00635   476   NtClose  (80, ... ) == 0x0
 00636   476   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 80, ) }, ... 80, ) == 0x0
 00637   476   NtOpenKey  (0x1, {24, 80, 0x40, 0, 0,  (0x1, {24, 80, 0x40, 0, 0, "Control Panel\Desktop"}, ... 88, ) }, ... 88, ) == 0x0
 00638   476   NtQueryValueKey  (88,  (88, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   476   NtClose  (88, ... ) == 0x0
 00640   476   NtClose  (80, ... ) == 0x0
 00641   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240228, ... ) }, 1240228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00642   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240228, ... ) }, 1240228, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240228, ... ) }, 1240228, ... ) == 0x0
 00644   476   NtUserGetProcessWindowStation  (... ) == 0x28
 00645   476   NtUserGetObjectInformation  (40, 2, 0, 0, 1242524, ... ) == 0x0
 00646   476   NtUserGetObjectInformation  (40, 2, 1345144, 16, 1242524, ... ) == 0x1
 00647   476   NtUserGetGUIThreadInfo  (476, 1242480, ... ) == 0x1
 00648   476   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242300, 64, ... 80, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242300, 64, ... 80, 0x0, 0x0, 0x0, 64, ) == 0x0
 00649   476   NtRequestWaitReplyPort  (80, {32, 56, new_msg, 0, 0, 0, 0, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 476, 1574, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1574, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00650   476   NtRequestWaitReplyPort  (80, {32, 56, new_msg, 0, 0, 0, 0, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1575, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 476, 1575, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1575, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00651   476   NtUserCallNoParam  (29, ...
 00652   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239772, ... ) }, 1239772, ... ) == 0x0
 00651   476   NtUserCallNoParam  ... ) == 0x0
 00653   476   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00654   476   NtGdiHfontCreate  (1241852, 356, 0, 0, 1373816, ... ) == 0x70a0454
 00655   476   NtGdiHfontCreate  (1241852, 356, 0, 0, 1373808, ... ) == 0x60a0455
 00656   476   NtRequestWaitReplyPort  (80, {32, 56, new_msg, 0, 0, 0, 0, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1576, 0} "\0\0\0\0\0\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 476, 1576, 0}  (80, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 476, 1576, 0} "\0\0\0\0\0\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00657   476   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 331776, ) == 0x0
 00658   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00659   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00660   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00661   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00662   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00663   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00664   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00665   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00666   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00667   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00668   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00669   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00670   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00671   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00672   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00673   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00674   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00675   476   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100457
 00676   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00677   476   NtUserCallNoParam  (29, ...
 00678   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00677   476   NtUserCallNoParam  ... ) == 0x0
 00679   476   NtUserCallNoParam  (29, ...
 00680   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239212, ... ) }, 1239212, ... ) == 0x0
 00679   476   NtUserCallNoParam  ... ) == 0x0
 00681   476   NtUserMessageCall  (0x200ae, WM_NCCREATE, 0x0, 0x12f6b4, 0, 670, 0, ... ) == 0x1
 00682   476   NtUserMessageCall  (0x200ae, WM_NCCALCSIZE, 0x0, 0x12f6dc, 0, 670, 0, ... ) == 0x0
 00683   476   NtUserSetProp  (131246, 43288, -1, ... ) == 0x1
 00606   476   NtUserCreateWindowEx  ... ) == 0x200ae
 00684   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22Q8,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00685   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00686   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00687   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00688   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00689   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00690   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00691   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00692   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00693   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "!\252\367v\351#\313\273\30\262\20\325\307N\303r\177\3575\306[\262`YZaf\221\317\331\10>`\206O\272\324\351z\236\331\4\270\357\32\32W\306B\56<\266\300\354\344Aa\371q\222\274gs\355\304M]\224\355oU\257\325g\10^\323\352\222", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "!\252\367v\351#\313\273\30\262\20\325\307N\303r\177\3575\306[\262`YZaf\221\317\331\10>`\206O\272\324\351z\236\331\4\270\357\32\32W\306B\56<\266\300\354\344Aa\371q\222\274gs\355\304M]\224\355oU\257\325g\10^\323\352\222", 80, ... ) , 80, ... ) == 0x0
 00694   476   NtClose  (-2147482020, ... ) == 0x0
 00684   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\35\4~\357+\242\233zVH\352Q\0\244\210\322R-\177_\22\35.\12C \240\26\201\118`\20\222\317\11\202\366\326i\301gL\270\36\3\322\322\242\33\227\201\27\245\274\11\307\236\207\2\361\316\276Kq\241\301{\314r%o\240'\262\343\233\300R\213\364\264\235W*Od\1;\330\25V)\312S\274\301V\265\13\3464\321\337\27\34\200z\13\26\202\17\231\342y\304\303\247\225\2\213\35]R\331\260q\267\30\364\304B\205~\252Am\247 \3048\226\344\323\334cF\316$(d\243>\311\277\3200\263\16\231\351H\345\4-7\375\204\1777\361;\230\204\216\225BE!\242%\327\333\343\22529-"\322d\365\207c[\337\337\13\10J\312\35oX\206\26\372\23\36\31&\355F\216\340,\230\234\253\225\213\317n\276\16\254g\241u\14\34h\360+fN#\373&D\275\327i\341\241\5\252`\26\27e1&\262:\224", ) \322d\365\207c[\337\337\13\10J\312\35oX\206\26\372\23\36\31&\355F\216\340,\230\234\253\225\213\317n\276\16\254g\241u\14\34h\360+fN#\373&D\275\327i\341\241\5\252`\26\27e1&\262:\224", ) == 0x0
 00695   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00696   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00697   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00698   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00699   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00700   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00701   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00702   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00703   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00704   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\365\7\235f\230\231\325\105k\373\201\260\360\315E\303D\360\213\341\220\277o\0\377\177\263K\222D\215\345\215!\265\334\264\21\346\7\351\337\353x\363i\2632\260[\213K0\360\3301)`T6\334B\277\235\226\276h\225\372V\205\332\15a\335\311H\1'", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\365\7\235f\230\231\325\105k\373\201\260\360\315E\303D\360\213\341\220\277o\0\377\177\263K\222D\215\345\215!\265\334\264\21\346\7\351\337\353x\363i\2632\260[\213K0\360\3301)`T6\334B\277\235\226\276h\225\372V\205\332\15a\335\311H\1'", 80, ... ) , 80, ... ) == 0x0
 00705   476   NtClose  (-2147482020, ... ) == 0x0
 00695   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\336\323\3616\343w'\367\211\327\362\250\264\301\17U\267\15\0\347]\276\250g\311*PR\37\2623x\320\35@`\261X(t\37\377x\226\374\303h\264\304\10\207\372\364\306\32]\305\305\342\304\201\221\373\244\252\245\301]\227S\266b\370W4Mem\34\345\27\232\326n\270P\326\11\326\346bQ\261Y\2720\3121Uc\6b\220\37\365\307a\371\305\373i\3102\335\337\275\263\315\343\14(\372\3257\\321>\344)\247\12W\276\360\325wK\242\301\241\377\23\256\351\245\377\17\232\270\2\211\250\253e&\361\217h\276T\3\5\247J\335(\273\371\213\230\317X\243\272Er\201\304\210\355E\0\361?I\212\200\362ZJ??5\25\305\263\315D\22\372\346\245\353D!\1\360U\2560\6\201\270\265x\31\256fG\336\320\1,\271\325\341#\232\3550x\207\350\326\253O\312\363\355\2\220\361\15F\25\375\312&\240n/\0,O[\201", ) , ) == 0x0
 00706   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231\11\362\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00707   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00708   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00709   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00710   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00711   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00712   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00713   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00714   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00715   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\1W"\341\364\223l5d\373I\355\351f\336\36%\205\237\257f\212\351|\366i\347e\334\221&\252Q\354mV\330\303\220\345r\37{y9D\4"&\335\370\0)M%\345d-\30\263\23\17Y\324y\322>\372\365{\11\22o\324\334\372\33_\263\264", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\1W"\341\364\223l5d\373I\355\351f\336\36%\205\237\257f\212\351|\366i\347e\334\221&\252Q\354mV\330\303\220\345r\37{y9D\4"&\335\370\0)M%\345d-\30\263\23\17Y\324y\322>\372\365{\11\22o\324\334\372\33_\263\264", 80, ... ) \341\364\223l5d\373I\355\351f\336\36%\205\237\257f\212\351|\366i\347e\334\221&\252Q\354mV\330\303\220\345r\37{y9D\4 (-2147482020, "Seed", 0, 3, "\1W"\341\364\223l5d\373I\355\351f\336\36%\205\237\257f\212\351|\366i\347e\334\221&\252Q\354mV\330\303\220\345r\37{y9D\4"&\335\370\0)M%\345d-\30\263\23\17Y\324y\322>\372\365{\11\22o\324\334\372\33_\263\264", 80, ... ) , 80, ... ) == 0x0
 00716   476   NtClose  (-2147482020, ... ) == 0x0
 00706   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\365o`\330/\26\207\377\334\361\251\6\1I~\350*\325\250m\376Z\267\22\277Ag~~+\333s\255\314\277+\264X\7Or\372B\352\211\210NO\311\276_\7\271\311\362n\331C\230\311\320\375\315\254\314\322\11\362\7\347cLS}\244\370B\241\322\306\335v\374 \376\354\352_\25\300\2\3334\277\332y\3761\241\217)\305\252\177\321(\\4QPP\331\357\305\305\344\316*\333ua\5Q"\304\364\3519\252b)\277\353\234%\14\256)\206\37gJ\24\345\207\325\226T\267\313]_#o\311$\326gs\330\373 \366\212\274\201{\1\2519\224z\234\16VZ\D\243\252\23*\365O\220\347\205\4\361\271\305\34\217\256\23YH\237\15\336 }\216pP\342\32\5Yn\334A\315\3769\355\10\351,|\371\211\32\276\242\224'\33585\313\234\206E}Tt\264\326o\343\32\361x%TCiuP\2\370\11\346", ) \304\364\3519\252b)\277\353\234%\14\256)\206\37gJ\24\345\207\325\226T\267\313]_#o\311$\326gs\330\373 \366\212\274\201{\1\2519\224z\234\16VZ\D\243\252\23*\365O\220\347\205\4\361\271\305\34\217\256\23YH\237\15\336 }\216pP\342\32\5Yn\334A\315\3769\355\10\351,|\371\211\32\276\242\224'\33585\313\234\206E}Tt\264\326o\343\32\361x%TCiuP\2\370\11\346", ) == 0x0
 00717   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00718   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00719   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00720   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00721   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00722   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00723   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00724   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00725   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00726   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\213\217\352W\330\212\21\222 @lV>V'\21c\334\226!\305\370\23[\314;\227V'\361\331\216\261\2w\2022q\276\271\25\26G\2742\335L\30\271]3\307\306o\361\242\261\334a\37\4\202\306~\64]\2278\333:\360"\337M\376\355\324e\2", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\213\217\352W\330\212\21\222 @lV>V'\21c\334\226!\305\370\23[\314;\227V'\361\331\216\261\2w\2022q\276\271\25\26G\2742\335L\30\271]3\307\306o\361\242\261\334a\37\4\202\306~\64]\2278\333:\360"\337M\376\355\324e\2", 80, ... ) \337M\376\355\324e\2", 80, ... ) == 0x0
 00727   476   NtClose  (-2147482020, ... ) == 0x0
 00717   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "E-Id\31\315\346\325`\322% 8Tc\331\{s\2242~\32\302b\30K\303\277f\314+\26\202\234e\372\235{\346g,\230$\346\242YI\376=,gUc'\275\316\265q\210\353]m\306Yq8y\317\25'|\15\27\21\341\346\306\353\260\347\317\344Jl?0%\332\356\362<\307H\250\5\322.\373\304\277\177{1\332\264\216\237s\30 b\367\177\36\340a'\252-bG&yQ\254Q\243\352x\250\273\216\220ZU\337\15\215\33"p\2770\304\246\315e&\311\341\237\30\251\3544\12\231P\200\206\360\361\207\335A\242\265\16(\200\32]\5s\236\272\246\236\216\251\200\26\%\12.\33jF\351\224\30d*\14=\25n\367#\327\30\316\247a\223\10\362\305\20\341\345\3776\237\301\245\2678\272\240\363\201\342a2\236\11\277C\332\202}=\301\244\361\26\340\5\3706\245<\250\365\30]\253\20N\211B", ) p\2770\304\246\315e&\311\341\237\30\251\3544\12\231P\200\206\360\361\207\335A\242\265\16(\200\32]\5s\236\272\246\236\216\251\200\26\%\12.\33jF\351\224\30d*\14=\25n\367#\327\30\316\247a\223\10\362\305\20\341\345\3776\237\301\245\2678\272\240\363\201\342a2\236\11\277C\332\202}=\301\244\361\26\340\5\3706\245<\250\365\30]\253\20N\211B", ) == 0x0
 00728   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00729   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00730   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00731   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00732   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00733   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00734   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00735   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00736   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00737   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\2036(\220\224[\24\260ll\222`S\272\335\262\202\31\25\222<\370\37H4\201r\26, 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\2036(\220\224[\24\260ll\222`S\272\335\262\202\31\25\222<\370\37H4\201r\26, 80, ... ) , 80, ... ) == 0x0
 00738   476   NtClose  (-2147482020, ... ) == 0x0
 00728   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\13U\356\274<\17\242~\270\372\320\371]\243\206d\316\315\200\270,\226\22(Q\270\250\335\314\222\1772\230\305@\16\216\334\277\11{\335*\10[\201[O\273d\221\236\320>2\370%\227\346\24\377.d\202S\177J!\347\207dFl2\6P-@\333\207A\224N\332E\307\207\B\251\203F\315\330w\350\341\323K\3422\36\205\272s\311\313\270\237E\1\212\15\324\265W\3462\351"a"\21\12N\361\351\346F\362\343~!\224:\234\311tkG\366\344\2419\3d\350\17\363\377Y\227\2577\3778\212v\225\261k\1\257\26l\2215\3\34\365\310\307\255\300D\252L\177\\31X\260\232\33\333\357\21\214/\334d\177\307\31\14\276.;O\24BJ\225>\332\210\216\266t.&\363\327~\247\371\365\315\306o;0\347\240\324Emc\372\223\201\354\2424C\275;\354\211\23\266\207\277\220O\237&\201};\243w.", ) a ... {status=0x0, info=256}, "n\13U\356\274<\17\242~\270\372\320\371]\243\206d\316\315\200\270,\226\22(Q\270\250\335\314\222\1772\230\305@\16\216\334\277\11{\335*\10[\201[O\273d\221\236\320>2\370%\227\346\24\377.d\202S\177J!\347\207dFl2\6P-@\333\207A\224N\332E\307\207\B\251\203F\315\330w\350\341\323K\3422\36\205\272s\311\313\270\237E\1\212\15\324\265W\3462\351"a"\21\12N\361\351\346F\362\343~!\224:\234\311tkG\366\344\2419\3d\350\17\363\377Y\227\2577\3778\212v\225\261k\1\257\26l\2215\3\34\365\310\307\255\300D\252L\177\\31X\260\232\33\333\357\21\214/\334d\177\307\31\14\276.;O\24BJ\225>\332\210\216\266t.&\363\327~\247\371\365\315\306o;0\347\240\324Emc\372\223\201\354\2424C\275;\354\211\23\266\207\277\220O\237&\201};\243w.", ) , ) == 0x0
 00739   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00740   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00741   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00742   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00743   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00744   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00745   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00746   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00747   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00748   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\262\2\367\300~\37\203\221E\1(\213\203\351\256\24\11\3770\342\205\303}\263e\227\32E\206\7\366g\22\200\317\1\35\375\15\\225\355]Rt\373=\27 \306,\250\373Q\331\201F\201h\240\30\355\315\245"\342v\6\245q\3:\332sI\17K\244\377\325", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\262\2\367\300~\37\203\221E\1(\213\203\351\256\24\11\3770\342\205\303}\263e\227\32E\206\7\366g\22\200\317\1\35\375\15\\225\355]Rt\373=\27 \306,\250\373Q\331\201F\201h\240\30\355\315\245"\342v\6\245q\3:\332sI\17K\244\377\325", 80, ... ) \342v\6\245q\3:\332sI\17K\244\377\325", 80, ... ) == 0x0
 00749   476   NtClose  (-2147482020, ... ) == 0x0
 00739   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\242\276\300\257rm|0\215\373\241\3242\367\361pX\323\354\346.\274d\\365\267`\377\332\346\10\17\254T\345\221\206u\36l\231\37\270i\246\237\214\33|>\235\252\3735L\256'?\224q\355e=#]\254\305\226\32\357s\31\246E\21?,\266\350\356F\211\240\214\250\217=\361\4\27\205?KB\7I\307\212L\177\232x\31\335\342\232\323\245nR\277\20\26^\325\377\354\212=\346qE\307JTY\221\350\2758kZ=q\351.\256\13 H\235A{)3\177]\326\24P\33\257&\205\306\377k\265\32\370\321\322\361Y\246\355\16\17\213\376V\330>\351r\260\272\365Q\350\372l\264Vv\323PSe\226ls\316,\203p\350\15:\3224\305\265\242\336\363v\276\0\240\261A\355\244=<\205\234\334\222x\203\3557L\201\235\12\311\2316$\303\375G+\342\216\335f\302w\336\241\377\265\331\241\323\21\235\17\30p ", ) , ) == 0x0
 00750   476   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "$\177(\322\364\220\2514\361\264c\236\272\22\10Y\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231\11\362\242\3349\236\231P\223,\6\2579\242\253-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00751   476   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00752   476   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00753   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00754   476   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00755   476   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00756   476   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00757   476   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00758   476   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00759   476   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "W\271R\221\316\232P\333\346%\13^\240Y>8\257B\236J[\360\35h\371@\125+z<\212`V\340tq\361G\225\233\376\177\257\275\310O\3633]\260\245|\15\201\3124\201\246f^_nF\3652\231\36\240\227\1\25\304\361Q/\272]\347X", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "W\271R\221\316\232P\333\346%\13^\240Y>8\257B\236J[\360\35h\371@\125+z<\212`V\340tq\361G\225\233\376\177\257\275\310O\3633]\260\245|\15\201\3124\201\246f^_nF\3652\231\36\240\227\1\25\304\361Q/\272]\347X", 80, ... ) , 80, ... ) == 0x0
 00760   476   NtClose  (-2147482020, ... ) == 0x0
 00750   476   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "6G\316|\302Q\252\205\10\327\14\334\217\361+6u\20\6\22c)\11E\251\351R\224\33\322\271\235\361\326d \215E\221\311\177\3358\345 XM^\236@\276\321\211\251\34\244p@\23hp[\317\207I\370\2645\246za\367\336\315\241\346\22\357\304\277\364\273(\242\226\377\354@6N\335\49T\341:}d4[Kk\317\341'\331U\261\171z\34\366B'\272\346c\310\277\266\351T\34\315\375\367\2230\24\374\200G\353\227\37[\247\246\177\220\355>\353\320)4\300\11Dg\263N_,\323\300\4$A=\3\3\2055\276\356V\266\360J\251\264\11"V\15\2335\3\3601`\353\346\201,z\364c\375\2\344\320\316!\26\377\356\300*F^\331`\213\177A\315\211\356\213+\251a\352m\266\355*\31\327\251.\375 '\221\262\351\226!\222k\1\22k\Ui\224\346\356\310\261\217\352su\271\266\272.q\212\301", ) V\15\2335\3\3601`\353\346\201,z\364c\375\2\344\320\316!\26\377\356\300*F^\331`\213\177A\315\211\356\213+\251a\352m\266\355*\31\327\251.\375 '\221\262\351\226!\222k\1\22k\Ui\224\346\356\310\261\217\352su\271\266\272.q\212\301", ) == 0x0
 00761   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00762   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9306112, 262144, ) == 0x0
 00763   476   NtAllocateVirtualMemory  (-1, 9306112, 0, 4096, 4096, 4, ... 9306112, 4096, ) == 0x0
 00764   476   NtAllocateVirtualMemory  (-1, 9310208, 0, 8192, 4096, 4, ... 9310208, 8192, ) == 0x0
 00765   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00766   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00767   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 92, ) == 0x0
 00768   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9568256, 1048576, ) == 0x0
 00769   476   NtAllocateVirtualMemory  (-1, 10608640, 0, 8192, 4096, 4, ... 10608640, 8192, ) == 0x0
 00770   476   NtProtectVirtualMemory  (-1, (0xa1e000), 4096, 260, ... (0xa1e000), 4096, 4, ) == 0x0
 00771   476   NtCreateThread  (0x1f03ff, 0x0, -1, 1243600, 1244316, 1, ... 96, {464, 864}, ) == 0x0
 00772   476   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=464,Tid=864,}, 0x0, ) == 0x0
 00773   476   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243500, 1243472, 1243516, 1998275196}  (24, {28, 56, new_msg, 0, 1243500, 1243472, 1243516, 1998275196} "\0\0\0\0\1\0\1\0\374\377\377\377\337\347\367w`\0\0\0\320\1\0\0`\3\0\0" ... {28, 56, reply, 0, 464, 476, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\337\347\367w`\0\0\0\320\1\0\0`\3\0\0" )  ... {28, 56, reply, 0, 464, 476, 1577, 0}  (24, {28, 56, new_msg, 0, 1243500, 1243472, 1243516, 1998275196} "\0\0\0\0\1\0\1\0\374\377\377\377\337\347\367w`\0\0\0\320\1\0\0`\3\0\0" ... {28, 56, reply, 0, 464, 476, 1577, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\337\347\367w`\0\0\0\320\1\0\0`\3\0\0" )  ) == 0x0
 00774   476   NtResumeThread  (96, ... 1, ) == 0x0
 00775   476   NtQueryDefaultLocale  (1, 1243172, ... ) == 0x0
 00776   864   NtAllocateVirtualMemory  (-1, 8667136, 0, 4096, 4096, 4, ... 8667136, 4096, ) == 0x0
 00777   864   NtTestAlert  (... ) == 0x0
 00778   864   NtContinue  (10616112, 1, ...
 00779   864   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00780   864   NtWaitForSingleObject  (92, 0, 0x0, ...
 00781   476   NtQueryDefaultLocale  (1, 1242564, ... ) == 0x0
 00782   476   NtQueryDefaultLocale  (1, 1243112, ... ) == 0x0
 00783   476   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1374736, 0,  (0x1f0003, {24, 52, 0x80, 1374736, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 100, ) }, 0, 2147483647, ... 100, ) == STATUS_OBJECT_NAME_EXISTS
 00784   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 00785   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 00786   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 104, ) }, ... 104, ) == 0x0
 00787   476   NtQueryValueKey  (104,  (104, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 00788   476   NtClose  (104, ... ) == 0x0
 00789   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files"}, 1241716, ... ) }, 1241716, ... ) == 0x0
 00790   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\delsim"}, 1243308, ... ) }, 1243308, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   476   NtCreateFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\delsim"}, 0x0, 128, 3, 2, 16417, 0, 0, ... 104, {status=0x0, info=2}, ) }, 0x0, 128, 3, 2, 16417, 0, 0, ... 104, {status=0x0, info=2}, ) == 0x0
 00792   476   NtClose  (104, ... ) == 0x0
 00793   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\delsim"}, 1243308, ... ) }, 1243308, ... ) == 0x0
 00794   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\delsim"}, 7, 2113568, ... 104, {status=0x0, info=1}, ) }, 7, 2113568, ... 104, {status=0x0, info=1}, ) == 0x0
 00795   476   NtSetInformationFile  (104, 1243284, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00796   476   NtClose  (104, ... ) == 0x0
 00797   476   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242208,  (0x80100080, {24, 0, 0x40, 0, 1242208, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 104, {status=0x0, info=1}, ) == 0x0
 00798   476   NtQueryInformationFile  (104, 1243144, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00799   476   NtQueryInformationFile  (104, 1243116, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00800   476   NtQueryInformationFile  (104, 1243068, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00801   476   NtAllocateVirtualMemory  (-1, 1376256, 0, 8192, 4096, 4, ... 1376256, 8192, ) == 0x0
 00802   476   NtQueryInformationFile  (104, 1375488, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00803   476   NtQueryInformationFile  (104, 1241612, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00804   476   NtQueryInformationFile  (104, 1241456, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00805   476   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1241464,  (0x40110080, {24, 0, 0x40, 0, 1241464, "\??\C:\Program Files\Common Files\delsim\del.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00806   476   NtClose  (-2147482020, ... ) == 0x0
 00805   476   NtCreateFile  ... 108, {status=0x0, info=2}, ) == 0x0
 00807   476   NtQueryVolumeInformationFile  (108, 1240836, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 00808   476   NtQueryInformationFile  (108, 1240796, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00809   476   NtQueryVolumeInformationFile  (104, 1240836, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00810   476   NtQueryVolumeInformationFile  (104, 1240520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00811   476   NtSetInformationFile  (108, 1240624, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00812   476   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 104, ... 112, ) == 0x0
 00813   476   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 65536, ) == 0x0
 00814   476   NtClose  (112, ... ) == 0x0
 00815   476   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\303\362k\334\207\223\5\217\207\223\5\217\207\223\5\217\374\217\11\217\205\223\5\217o\214\17\217\227\223\5\217\4\217\13\217\213\223\5\217\207\223\5\217\213\223\5\217\321\214\26\217\216\223\5\217\345\214\26\217\214\223\5\217\207\223\4\217\351\223\5\217o\214\16\217\200\223\5\217?\225\3\217\206\223\5\217Rich\207\223\5\217\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\310\215/F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\262\0\0\0L\0\0\0\0\0\0\240\255\0\0\0\20\0\0\0\320\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\00\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\234\330\0\0\240\0\0\0\0\0\1\0\350(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\364\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\05\260\0\0\0\20\0\0\0\262\0\0", 61440, 0x0, 0, ... {status=0x0, info=61440}, ) , 61440, 0x0, 0, ... {status=0x0, info=61440}, ) == 0x0
 00816   476   NtWriteFile  (108, 0, 0, 0,  (108, 0, 0, 0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, 0x0, 0, ... {status=0x0, info=4096}, ) , 4096, 0x0, 0, ... {status=0x0, info=4096}, ) == 0x0
 00817   476   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00818   476   NtSetInformationFile  (108, 1243068, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00819   476   NtClose  (104, ... ) == 0x0
 00820   476   NtClose  (108, ... ) == 0x0
 00821   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 00822   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 00823   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 108, 2, ) }, 0, 0x0, 0, ... 108, 2, ) == 0x0
 00824   476   NtQueryValueKey  (108,  (108, "Common Start Menu", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (108, "Common Start Menu", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0"}, 70, ) }, 70, ) == 0x0
 00825   476   NtClose  (108, ... ) == 0x0
 00826   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu"}, 1241588, ... ) }, 1241588, ... ) == 0x0
 00827   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 108, 2, ) }, 0, 0x0, 0, ... 108, 2, ) == 0x0
 00828   476   NtSetValueKey  (108,  (108, "Common Start Menu", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0", 94, ... ) , 0, 1,  (108, "Common Start Menu", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0", 94, ... ) , 94, ... ) == 0x0
 00829   476   NtClose  (108, ... ) == 0x0
 00830   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 108, ) }, ... 108, ) == 0x0
 00831   476   NtQueryValueKey  (108,  (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00832   476   NtClose  (108, ... ) == 0x0
 00833   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CLBCATQ.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00834   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\CLBCATQ.DLL"}, 1240132, ... ) }, 1240132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00835   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "CLBCATQ.DLL"}, 1240132, ... ) }, 1240132, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00836   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 1240132, ... ) }, 1240132, ... ) == 0x0
 00837   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\CLBCATQ.DLL"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00838   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00839   476   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00840   476   NtClose  (108, ... ) == 0x0
 00841   476   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fd0000), 0x0, 491520, ) == 0x0
 00842   476   NtClose  (104, ... ) == 0x0
 00843   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMRes.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\COMRes.dll"}, 1239328, ... ) }, 1239328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "COMRes.dll"}, 1239328, ... ) }, 1239328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00846   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00847   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\COMRes.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00848   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00849   476   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00850   476   NtClose  (104, ... ) == 0x0
 00851   476   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77050000), 0x0, 806912, ) == 0x0
 00852   476   NtClose  (108, ... ) == 0x0
 00853   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00854   476   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 00855   476   NtClose  (108, ... ) == 0x0
 00856   476   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3\Debug"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00858   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLE"}, ... 108, ) }, ... 108, ) == 0x0
 00859   476   NtQueryValueKey  (108,  (108, "MinimumFreeMemPercentageToCreateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860   476   NtQueryValueKey  (108,  (108, "MinimumFreeMemPercentageToCreateObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   476   NtClose  (108, ... ) == 0x0
 00862   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\Registration"}, 1240160, ... ) }, 1240160, ... ) == 0x0
 00863   476   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   476   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00865   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 108, ) }, ... 108, ) == 0x0
 00866   476   NtQueryValueKey  (108,  (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Com+Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00867   476   NtClose  (108, ... ) == 0x0
 00868   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 108, ) }, ... 108, ) == 0x0
 00869   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00870   476   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00871   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 112, ) }, ... 112, ) == 0x0
 00872   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 116, ) == 0x0
 00873   476   NtNotifyChangeKey  (112, 116, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00874   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00875   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 124, ) }, ... 124, ) == 0x0
 00876   476   NtSetInformationObject  (124, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00877   476   NtNotifyChangeKey  (124, 120, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00878   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 128, ) }, ... 128, ) == 0x0
 00879   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 132, ) == 0x0
 00880   476   NtNotifyChangeKey  (128, 132, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00881   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 136, ) == 0x0
 00882   476   NtNotifyChangeKey  (124, 136, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00883   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 140, ) }, ... 140, ) == 0x0
 00884   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 144, ) == 0x0
 00885   476   NtNotifyChangeKey  (140, 144, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00886   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 148, ) }, ... 148, ) == 0x0
 00887   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 152, ) == 0x0
 00888   476   NtNotifyChangeKey  (148, 152, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00889   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 156, ) }, ... 156, ) == 0x0
 00890   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 00891   476   NtNotifyChangeKey  (156, 160, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00892   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes"}, ... 164, ) }, ... 164, ) == 0x0
 00893   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 00894   476   NtNotifyChangeKey  (164, 168, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00895   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 172, ) }, ... 172, ) == 0x0
 00896   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 00897   476   NtNotifyChangeKey  (172, 176, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00898   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 00899   476   NtNotifyChangeKey  (124, 180, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00900   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 184, ) }, ... 184, ) == 0x0
 00901   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 00902   476   NtNotifyChangeKey  (184, 188, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00903   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 192, ) }, ... 192, ) == 0x0
 00904   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 00905   476   NtNotifyChangeKey  (192, 196, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00906   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Classes\CLSID"}, ... 200, ) }, ... 200, ) == 0x0
 00907   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 204, ) == 0x0
 00908   476   NtNotifyChangeKey  (200, 204, 0, 0, 2011390432, 5, 1, 0, 0, 1, ... ) == 0x103
 00909   476   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 208, ) }, ... 208, ) == 0x0
 00911   476   NtQueryValueKey  (208,  (208, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (208, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00912   476   NtClose  (208, ... ) == 0x0
 00913   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00914   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00915   476   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "__R_000000000007_SMem__"}, ... 208, ) }, ... 208, ) == 0x0
 00916   476   NtMapViewOfSection  (208, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 24576, ) == 0x0
 00917   476   NtAllocateVirtualMemory  (-1, 8671232, 0, 8192, 4096, 4, ... 8671232, 8192, ) == 0x0
 00918   476   NtOpenSection  (0x4, {24, 52, 0x2, 0, 0,  (0x4, {24, 52, 0x2, 0, 0, "Global\ComPlusCOMRegTable"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\COM3"}, ... 212, ) }, ... 212, ) == 0x0
 00920   476   NtQueryValueKey  (212,  (212, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (212, "REGDBVersion", Partial, 144, ... TitleIdx=0, Type=3, Data="\7\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0
 00921   476   NtClose  (212, ... ) == 0x0
 00922   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00923   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00924   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 1, ... 10682368, 65536, ) == 0x0
 00925   476   NtAllocateVirtualMemory  (-1, 10682368, 0, 4096, 4096, 4, ... 10682368, 4096, ) == 0x0
 00926   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00927   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 00928   476   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00929   476   NtClose  (212, ... ) == 0x0
 00930   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 212, ) }, ... 212, ) == 0x0
 00931   476   NtSetInformationObject  (214, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00932   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00933   476   NtOpenKey  (0x20019, {24, 214, 0x40, 0, 0,  (0x20019, {24, 214, 0x40, 0, 0, "CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... 216, ) }, ... 216, ) == 0x0
 00935   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}0"}, 162, ) }, 162, ) == 0x0
 00936   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00937   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00938   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00939   476   NtClose  (220, ... ) == 0x0
 00940   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941   476   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   476   NtClose  (218, ... ) == 0x0
 00943   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00944   476   NtOpenKey  (0x20019, {24, 214, 0x40, 0, 0,  (0x20019, {24, 214, 0x40, 0, 0, "CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... 216, ) }, ... 216, ) == 0x0
 00946   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}0"}, 162, ) }, 162, ) == 0x0
 00947   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00948   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00949   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00950   476   NtClose  (220, ... ) == 0x0
 00951   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocServer32"}, ... 220, ) }, ... 220, ) == 0x0
 00953   476   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00954   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00955   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 00956   476   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00957   476   NtClose  (224, ... ) == 0x0
 00958   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   476   NtQueryValueKey  (222,  (222, "InprocServer32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   476   NtClose  (222, ... ) == 0x0
 00961   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 00962   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00963   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00964   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00965   476   NtClose  (220, ... ) == 0x0
 00966   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocServerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 00969   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00970   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00971   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00972   476   NtClose  (220, ... ) == 0x0
 00973   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 00976   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00977   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00978   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00979   476   NtClose  (220, ... ) == 0x0
 00980   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocServer32"}, ... 220, ) }, ... 220, ) == 0x0
 00982   476   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00983   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00984   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 00985   476   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00986   476   NtClose  (224, ... ) == 0x0
 00987   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   476   NtQueryValueKey  (222, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (222, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 00989   476   NtClose  (222, ... ) == 0x0
 00990   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 00991   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00992   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 00993   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00994   476   NtClose  (220, ... ) == 0x0
 00995   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00996   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocHandler32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00997   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 00998   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00999   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01000   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01001   476   NtClose  (220, ... ) == 0x0
 01002   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocHandlerX86"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01004   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 01005   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01006   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01007   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01008   476   NtClose  (220, ... ) == 0x0
 01009   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "LocalServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01011   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}_"}, 162, ) }, 162, ) == 0x0
 01012   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01013   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01014   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01015   476   NtClose  (220, ... ) == 0x0
 01016   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01017   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "LocalServer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01018   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01019   476   NtOpenKey  (0x20019, {24, 214, 0x40, 0, 0,  (0x20019, {24, 214, 0x40, 0, 0, "CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01020   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... 220, ) }, ... 220, ) == 0x0
 01021   476   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}0"}, 162, ) }, 162, ) == 0x0
 01022   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01023   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 01024   476   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01025   476   NtClose  (224, ... ) == 0x0
 01026   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027   476   NtQueryValueKey  (222,  (222, "AppID", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028   476   NtClose  (222, ... ) == 0x0
 01029   476   NtClose  (218, ... ) == 0x0
 01030   476   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 216, ) == 0x0
 01031   476   NtQueryInformationProcess  (216, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 01032   476   NtClose  (216, ... ) == 0x0
 01033   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01034   476   NtOpenKey  (0x20019, {24, 214, 0x40, 0, 0,  (0x20019, {24, 214, 0x40, 0, 0, "CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01035   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... 216, ) }, ... 216, ) == 0x0
 01036   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}0"}, 162, ) }, 162, ) == 0x0
 01037   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01038   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01039   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01040   476   NtClose  (220, ... ) == 0x0
 01041   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   476   NtOpenKey  (0x2000000, {24, 218, 0x40, 0, 0,  (0x2000000, {24, 218, 0x40, 0, 0, "InprocServer32"}, ... 220, ) }, ... 220, ) == 0x0
 01043   476   NtQueryKey  (222, Name, 392, ... {Name= (222, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01044   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01045   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 224, ) == 0x0
 01046   476   NtQueryInformationToken  (224, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01047   476   NtClose  (224, ... ) == 0x0
 01048   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01049   476   NtQueryValueKey  (222,  (222, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (222, "ThreadingModel", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0p\0a\0r\0t\0m\0e\0n\0t\0\0\0"}, 32, ) }, 32, ) == 0x0
 01050   476   NtClose  (222, ... ) == 0x0
 01051   476   NtClose  (218, ... ) == 0x0
 01052   476   NtAllocateVirtualMemory  (-1, 1384448, 0, 8192, 4096, 4, ... 1384448, 8192, ) == 0x0
 01053   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01054   476   NtOpenKey  (0x20019, {24, 214, 0x40, 0, 0,  (0x20019, {24, 214, 0x40, 0, 0, "CLSID\{00021401-0000-0000-C000-000000000046}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01055   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}"}, ... 216, ) }, ... 216, ) == 0x0
 01056   476   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}0"}, 162, ) }, 162, ) == 0x0
 01057   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01058   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 01059   476   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01060   476   NtClose  (220, ... ) == 0x0
 01061   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01062   476   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "TreatAs"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   476   NtClose  (218, ... ) == 0x0
 01064   476   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01065   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 216, ) == 0x0
 01066   476   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\del.lnk"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01067   476   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1374736, 0,  (0x1f0003, {24, 52, 0x80, 1374736, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 220, ) }, 0, 2147483647, ... 220, ) == STATUS_OBJECT_NAME_EXISTS
 01068   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01069   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01070   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01071   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01072   476   NtQueryValueKey  (224,  (224, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01073   476   NtClose  (224, ... ) == 0x0
 01074   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01075   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01076   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01078   476   NtQueryValueKey  (224,  (224, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   476   NtClose  (224, ... ) == 0x0
 01080   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01081   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01082   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01083   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01084   476   NtQueryValueKey  (224,  (224, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01085   476   NtClose  (224, ... ) == 0x0
 01086   476   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01087   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01088   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01089   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01090   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01091   476   NtQueryValueKey  (224,  (224, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   476   NtClose  (224, ... ) == 0x0
 01093   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01095   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01096   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01097   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01098   476   NtQueryValueKey  (224,  (224, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01099   476   NtClose  (224, ... ) == 0x0
 01100   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01101   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01102   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01103   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 224, ) }, ... 224, ) == 0x0
 01104   476   NtQueryValueKey  (224,  (224, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01105   476   NtClose  (224, ... ) == 0x0
 01106   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESi"}, 138, ) }, 138, ) == 0x0
 01107   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01108   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 224, ) }, ... 224, ) == 0x0
 01109   476   NtQueryKey  (226, Name, 392, ... {Name= (226, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01110   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01111   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 228, ) == 0x0
 01112   476   NtQueryInformationToken  (228, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01113   476   NtClose  (228, ... ) == 0x0
 01114   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115   476   NtQueryValueKey  (226, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (226, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01116   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1235220, ... ) }, 1235220, ... ) == 0x0
 01117   476   NtClose  (226, ... ) == 0x0
 01118   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01119   476   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01121   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1236368, ... ) }, 1236368, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1236368, ... ) }, 1236368, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01123   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1236368, ... ) }, 1236368, ... ) == 0x0
 01124   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01125   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 224, ... 228, ) == 0x0
 01126   476   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01127   476   NtClose  (224, ... ) == 0x0
 01128   476   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01129   476   NtClose  (228, ... ) == 0x0
 01130   476   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01131   476   NtQueryDefaultLocale  (1, 1236200, ... ) == 0x0
 01132   476   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01133   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01134   476   NtQueryValueKey  (228,  (228, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   476   NtClose  (228, ... ) == 0x0
 01136   476   NtUserGetProcessWindowStation  (... ) == 0x28
 01137   476   NtUserGetObjectInformation  (40, 1, 1235872, 12, 1235884, ... ) == 0x1
 01138   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 228, ) }, ... 228, ) == 0x0
 01139   476   NtQueryValueKey  (228,  (228, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01140   476   NtClose  (228, ... ) == 0x0
 01141   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01142   476   NtQueryValueKey  (228,  (228, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01143   476   NtQueryValueKey  (228,  (228, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   476   NtClose  (228, ... ) == 0x0
 01145   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01146   476   NtQueryValueKey  (228,  (228, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01147   476   NtQueryValueKey  (228,  (228, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01148   476   NtClose  (228, ... ) == 0x0
 01149   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01150   476   NtQueryValueKey  (228,  (228, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01151   476   NtQueryValueKey  (228,  (228, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01152   476   NtClose  (228, ... ) == 0x0
 01153   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01154   476   NtQueryValueKey  (228,  (228, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01155   476   NtQueryValueKey  (228,  (228, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01156   476   NtClose  (228, ... ) == 0x0
 01157   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 228, ) }, ... 228, ) == 0x0
 01158   476   NtQueryValueKey  (228,  (228, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (228, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01159   476   NtQueryValueKey  (228,  (228, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (228, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01160   476   NtClose  (228, ... ) == 0x0
 01161   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 228, ) }, ... 228, ) == 0x0
 01162   476   NtQueryValueKey  (228,  (228, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (228, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01163   476   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01164   476   NtClose  (228, ... ) == 0x0
 01165   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 228, ) == 0x0
 01166   476   NtCreateMutant  (0x1f0001, 0x0, 0, ... 224, ) == 0x0
 01167   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 232, ) == 0x0
 01168   476   NtCreateMutant  (0x1f0001, 0x0, 0, ... 236, ) == 0x0
 01169   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01170   476   NtCreateMutant  (0x1f0001, 0x0, 0, ... 244, ) == 0x0
 01171   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 248, ) }, ... 248, ) == 0x0
 01172   476   NtQueryValueKey  (248,  (248, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   476   NtQueryValueKey  (248,  (248, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   476   NtOpenKey  (0x1, {24, 248, 0x40, 0, 0,  (0x1, {24, 248, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   476   NtClose  (248, ... ) == 0x0
 01176   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1235792, ... ) }, 1235792, ... ) == 0x0
 01177   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 248, ) }, ... 248, ) == 0x0
 01178   476   NtQueryValueKey  (248,  (248, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (248, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (248, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01179   476   NtClose  (248, ... ) == 0x0
 01180   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 248, ) }, ... 248, ) == 0x0
 01181   476   NtQueryValueKey  (248,  (248, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (248, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (248, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01182   476   NtClose  (248, ... ) == 0x0
 01183   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 248, ) }, ... 248, ) == 0x0
 01185   476   NtQueryValueKey  (248,  (248, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (248, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (248, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01186   476   NtClose  (248, ... ) == 0x0
 01187   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01188   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 248, ) }, ... 248, ) == 0x0
 01190   476   NtQueryValueKey  (248,  (248, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   476   NtClose  (248, ... ) == 0x0
 01192   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 248, ) == 0x0
 01194   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 252, ) == 0x0
 01195   476   NtQuerySystemTime  (... {1104497154, 29874551}, ) == 0x0
 01196   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01197   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   476   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01199   476   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01200   476   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01201   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 260, ) == 0x0
 01202   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 264, ) == 0x0
 01203   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 268, ) }, ... 268, ) == 0x0
 01204   476   NtOpenKey  (0x20019, {24, 268, 0x40, 0, 0,  (0x20019, {24, 268, 0x40, 0, 0, "ActiveComputerName"}, ... 272, ) }, ... 272, ) == 0x0
 01205   476   NtQueryValueKey  (272,  (272, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (272, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (272, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01206   476   NtClose  (272, ... ) == 0x0
 01207   476   NtClose  (268, ... ) == 0x0
 01208   476   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 268, ) == 0x0
 01209   476   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 272, ) == 0x0
 01210   476   NtDuplicateObject  (-1, 268, -1, 0x0, 0, 2, ... 276, ) == 0x0
 01211   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01212   476   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 01213   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 280, ) == 0x0
 01214   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01215   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01216   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236572,  (0xc0100080, {24, 0, 0x40, 0, 1236572, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01217   476   NtSetInformationFile  (284, 1236628, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01218   476   NtSetInformationFile  (284, 1236620, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01219   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01220   476   NtWriteFile  (284, 261, 0, 0,  (284, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01221   476   NtReadFile  (284, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (284, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01222   476   NtFsControlFile  (284, 261, 0x0, 0x0, 0x11c017,  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\345\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\345\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20x\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01223   476   NtFsControlFile  (284, 261, 0x0, 0x0, 0x11c017,  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01224   476   NtFsControlFile  (284, 261, 0x0, 0x0, 0x11c017,  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0ZM\320zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01225   476   NtClose  (280, ... ) == 0x0
 01226   476   NtClose  (284, ... ) == 0x0
 01227   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01228   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 01229   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01230   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01231   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236572,  (0xc0100080, {24, 0, 0x40, 0, 1236572, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 280, {status=0x0, info=1}, ) == 0x0
 01232   476   NtSetInformationFile  (280, 1236628, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01233   476   NtSetInformationFile  (280, 1236620, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01234   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01235   476   NtWriteFile  (280, 261, 0, 0,  (280, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01236   476   NtReadFile  (280, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (280, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01237   476   NtFsControlFile  (280, 261, 0x0, 0x0, 0x11c017,  (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\345\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\24\345\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01238   476   NtFsControlFile  (280, 261, 0x0, 0x0, 0x11c017,  (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01239   476   NtFsControlFile  (280, 261, 0x0, 0x0, 0x11c017,  (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (280, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0[M\320zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01240   476   NtClose  (284, ... ) == 0x0
 01241   476   NtClose  (280, ... ) == 0x0
 01242   476   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01243   476   NtOpenProcessToken  (-1, 0x20, ... 280, ) == 0x0
 01244   476   NtAdjustPrivilegesToken  (280, 0, 1400152, 0, 0, 0, ... ) == 0x0
 01245   476   NtClose  (280, ... ) == 0x0
 01246   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01247   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 280, ) == 0x0
 01248   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01249   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01250   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236812,  (0xc0100080, {24, 0, 0x40, 0, 1236812, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 284, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 284, {status=0x0, info=1}, ) == 0x0
 01251   476   NtSetInformationFile  (284, 1236868, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01252   476   NtSetInformationFile  (284, 1236860, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01253   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01254   476   NtWriteFile  (284, 261, 0, 0,  (284, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01255   476   NtReadFile  (284, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (284, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01256   476   NtFsControlFile  (284, 261, 0x0, 0x0, 0x11c017,  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\374 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01257   476   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01258   476   NtOpenProcessToken  (-1, 0x20, ... 288, ) == 0x0
 01259   476   NtAdjustPrivilegesToken  (288, 0, 1401160, 0, 0, 0, ... ) == 0x0
 01260   476   NtClose  (288, ... ) == 0x0
 01261   476   NtFsControlFile  (284, 261, 0x0, 0x0, 0x11c017,  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (284, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01262   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 288, {status=0x0, info=1}, ) }, 3, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01263   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 292, ) }, ... 292, ) == 0x0
 01264   476   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01265   476   NtClose  (292, ... ) == 0x0
 01266   476   NtQueryVolumeInformationFile  (288, 1237272, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01267   476   NtClose  (288, ... ) == 0x0
 01268   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 288, {status=0x0, info=1}, ) }, 3, 16, ... 288, {status=0x0, info=1}, ) == 0x0
 01269   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01270   476   NtClose  (288, ... ) == 0x0
 01271   476   NtQueryInformationFile  (-1, 1237272, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01272   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237224,  (0x100080, {24, 0, 0x40, 0, 1237224, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01273   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01274   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01275   476   NtClose  (-2147482020, ... ) == 0x0
 01273   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01276   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01277   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01278   476   NtClose  (-2147482020, ... ) == 0x0
 01276   476   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01279   476   NtClose  (288, ... ) == 0x0
 01280   476   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 01281   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01282   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 292, ) }, ... 292, ) == 0x0
 01283   476   NtClose  (288, ... ) == 0x0
 01284   476   NtQueryValueKey  (292,  (292, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01285   476   NtQueryValueKey  (292,  (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\6\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0\6\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\6\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0\6\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\7\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01286   476   NtClose  (292, ... ) == 0x0
 01287   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 292, ) }, ... 292, ) == 0x0
 01288   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0,  (0x2000000, {24, 292, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 288, ) }, ... 288, ) == 0x0
 01289   476   NtClose  (292, ... ) == 0x0
 01290   476   NtQueryValueKey  (288,  (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01291   476   NtClose  (288, ... ) == 0x0
 01292   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 288, {status=0x0, info=0}, ) }, 3, 96, ... 288, {status=0x0, info=0}, ) == 0x0
 01293   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 292, ) }, ... 292, ) == 0x0
 01294   476   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01295   476   NtClose  (292, ... ) == 0x0
 01296   476   NtQueryVolumeInformationFile  (288, 1237272, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01297   476   NtClose  (288, ... ) == 0x0
 01298   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 288, {status=0x0, info=0}, ) }, 3, 16, ... 288, {status=0x0, info=0}, ) == 0x0
 01299   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01300   476   NtClose  (288, ... ) == 0x0
 01301   476   NtQueryInformationFile  (-1, 1237272, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01302   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237224,  (0x100080, {24, 0, 0x40, 0, 1237224, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01303   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01304   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01305   476   NtClose  (-2147482020, ... ) == 0x0
 01303   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01306   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01307   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01308   476   NtClose  (-2147482020, ... ) == 0x0
 01306   476   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01309   476   NtClose  (288, ... ) == 0x0
 01310   476   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 01311   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01312   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 292, ) }, ... 292, ) == 0x0
 01313   476   NtClose  (288, ... ) == 0x0
 01314   476   NtQueryValueKey  (292,  (292, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01315   476   NtQueryValueKey  (292,  (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0$\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0$\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0$\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0$\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0%\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01316   476   NtClose  (292, ... ) == 0x0
 01317   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 292, ) }, ... 292, ) == 0x0
 01318   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0,  (0x2000000, {24, 292, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 288, ) }, ... 288, ) == 0x0
 01319   476   NtClose  (292, ... ) == 0x0
 01320   476   NtQueryValueKey  (288,  (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01321   476   NtClose  (288, ... ) == 0x0
 01322   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 288, {status=0x0, info=0}, ) }, 3, 96, ... 288, {status=0x0, info=0}, ) == 0x0
 01323   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 292, ) }, ... 292, ) == 0x0
 01324   476   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01325   476   NtClose  (292, ... ) == 0x0
 01326   476   NtQueryVolumeInformationFile  (288, 1237272, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01327   476   NtClose  (288, ... ) == 0x0
 01328   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 288, {status=0x0, info=0}, ) }, 3, 16, ... 288, {status=0x0, info=0}, ) == 0x0
 01329   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (288, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01330   476   NtClose  (288, ... ) == 0x0
 01331   476   NtQueryInformationFile  (-1, 1237272, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01332   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1237224,  (0x100080, {24, 0, 0x40, 0, 1237224, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01333   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01334   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01335   476   NtClose  (-2147482020, ... ) == 0x0
 01333   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01336   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0008,  (288, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01337   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01338   476   NtClose  (-2147482020, ... ) == 0x0
 01336   476   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01339   476   NtClose  (288, ... ) == 0x0
 01340   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01341   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 292, ) }, ... 292, ) == 0x0
 01342   476   NtClose  (288, ... ) == 0x0
 01343   476   NtQueryValueKey  (292,  (292, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01344   476   NtQueryValueKey  (292,  (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0A\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0A\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (292, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0A\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0$\1\0\0A\5\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0B\5\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\14\341\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0H\341\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01345   476   NtClose  (292, ... ) == 0x0
 01346   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 292, ) }, ... 292, ) == 0x0
 01347   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0,  (0x2000000, {24, 292, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 288, ) }, ... 288, ) == 0x0
 01348   476   NtClose  (292, ... ) == 0x0
 01349   476   NtQueryValueKey  (288,  (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (288, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01350   476   NtClose  (288, ... ) == 0x0
 01351   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01352   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01353   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01354   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01355   476   NtClose  (-2147482020, ... ) == 0x0
 01353   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01356   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01357   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01358   476   NtClose  (-2147482020, ... ) == 0x0
 01356   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01359   476   NtClose  (288, ... ) == 0x0
 01360   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01361   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01362   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01363   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01364   476   NtClose  (-2147482020, ... ) == 0x0
 01362   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01365   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01366   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01367   476   NtClose  (-2147482020, ... ) == 0x0
 01365   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01368   476   NtClose  (288, ... ) == 0x0
 01369   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01370   476   NtSetValueKey  (288,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01371   476   NtClose  (288, ... ) == 0x0
 01372   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01374   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01377   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01378   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01379   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01381   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01382   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01383   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01384   476   NtClose  (-2147482020, ... ) == 0x0
 01382   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01385   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01386   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01387   476   NtClose  (-2147482020, ... ) == 0x0
 01385   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01388   476   NtClose  (288, ... ) == 0x0
 01389   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01390   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01391   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01392   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01393   476   NtClose  (-2147482020, ... ) == 0x0
 01391   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01394   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01395   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01396   476   NtClose  (-2147482020, ... ) == 0x0
 01394   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01397   476   NtClose  (288, ... ) == 0x0
 01398   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01399   476   NtSetValueKey  (288,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01400   476   NtClose  (288, ... ) == 0x0
 01401   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01403   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01404   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01405   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01406   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01407   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01410   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01411   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01412   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01413   476   NtClose  (-2147482020, ... ) == 0x0
 01411   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01414   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01415   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01416   476   NtClose  (-2147482020, ... ) == 0x0
 01414   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01417   476   NtClose  (288, ... ) == 0x0
 01418   476   NtQueryInformationFile  (-1, 1238476, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01419   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238428,  (0x100080, {24, 0, 0x40, 0, 1238428, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 288, {status=0x0, info=0}, ) == 0x0
 01420   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01421   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01422   476   NtClose  (-2147482020, ... ) == 0x0
 01420   476   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01423   476   NtDeviceIoControlFile  (288, 0, 0x0, 0x0, 0x6d0034,  (288, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01424   476   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01425   476   NtClose  (-2147482020, ... ) == 0x0
 01423   476   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01426   476   NtClose  (288, ... ) == 0x0
 01427   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 288, 2, ) }, 0, 0x0, 0, ... 288, 2, ) == 0x0
 01428   476   NtSetValueKey  (288,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (288, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01429   476   NtClose  (288, ... ) == 0x0
 01430   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01432   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01435   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01436   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01437   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01438   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01439   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01440   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 288, {status=0x0, info=1}, ) }, 3, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01441   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 292, ) }, ... 292, ) == 0x0
 01442   476   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\WinDfs\F:00000000000091d6", 66, ) , 66, ) == 0x0
 01443   476   NtClose  (292, ... ) == 0x0
 01444   476   NtQueryVolumeInformationFile  (288, 1238520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01445   476   NtClose  (288, ... ) == 0x0
 01446   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01447   476   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 288, {status=0x0, info=1}, ) }, 3, 96, ... 288, {status=0x0, info=1}, ) == 0x0
 01448   476   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 292, ) }, ... 292, ) == 0x0
 01449   476   NtQuerySymbolicLinkObject  (292, ...  (292, ... "\Device\WinDfs\U:00000000000091d6", 66, ) , 66, ) == 0x0
 01450   476   NtClose  (292, ... ) == 0x0
 01451   476   NtQueryVolumeInformationFile  (288, 1238520, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01452   476   NtClose  (288, ... ) == 0x0
 01453   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01454   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01455   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 292, ) }, ... 292, ) == 0x0
 01456   476   NtClose  (288, ... ) == 0x0
 01457   476   NtQueryValueKey  (292,  (292, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (292, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01458   476   NtClose  (292, ... ) == 0x0
 01459   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01460   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 292, ) }, ... 292, ) == 0x0
 01462   476   NtQueryKey  (294, Name, 392, ... {Name= (294, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01463   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01464   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01465   476   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01466   476   NtClose  (288, ... ) == 0x0
 01467   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01468   476   NtEnumerateKey  (294, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (294, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01469   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01470   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 288, ) }, ... 288, ) == 0x0
 01472   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01473   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01474   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 296, ) == 0x0
 01475   476   NtQueryInformationToken  (296, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01476   476   NtClose  (296, ... ) == 0x0
 01477   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   476   NtQueryValueKey  (290,  (290, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (290, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01479   476   NtClose  (290, ... ) == 0x0
 01480   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01481   476   NtEnumerateKey  (294, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01482   476   NtClose  (294, ... ) == 0x0
 01483   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 292, {status=0x0, info=1}, ) }, 3, 16417, ... 292, {status=0x0, info=1}, ) == 0x0
 01484   476   NtQueryDirectoryFile  (292, 0, 0, 0, 1236716, 616, BothDirectory, 1,  (292, 0, 0, 0, 1236716, 616, BothDirectory, 1, "Program Files", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01485   476   NtClose  (292, ... ) == 0x0
 01486   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01487   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01488   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1232088, ... ) }, 1232088, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01489   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01490   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01491   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01492   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01493   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1232060, ... ) }, 1232060, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01495   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01496   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01497   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01498   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1232424, ... ) }, 1232424, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01500   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01501   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01502   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01503   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1232424, ... ) }, 1232424, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01505   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01506   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01507   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01508   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1232424, ... ) }, 1232424, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01510   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01511   476   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 01512   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01513   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 292, ) }, ... 292, ) == 0x0
 01515   476   NtQueryKey  (294, Name, 384, ... {Name= (294, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01516   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01517   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01518   476   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01519   476   NtClose  (288, ... ) == 0x0
 01520   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521   476   NtOpenKey  (0x1, {24, 294, 0x40, 0, 0,  (0x1, {24, 294, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   476   NtQueryKey  (294, Name, 384, ... {Name= (294, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01523   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01524   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 288, ) == 0x0
 01525   476   NtQueryInformationToken  (288, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01526   476   NtClose  (288, ... ) == 0x0
 01527   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01528   476   NtOpenKey  (0x2000000, {24, 294, 0x40, 0, 0, ""}, ... 288, ) == 0x0
 01529   476   NtClose  (294, ... ) == 0x0
 01530   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01531   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01532   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 292, ) }, ... 292, ) == 0x0
 01534   476   NtQueryValueKey  (292,  (292, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   476   NtClose  (292, ... ) == 0x0
 01536   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01537   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 292, ) }, ... 292, ) == 0x0
 01538   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0, ""}, ... 296, ) == 0x0
 01539   476   NtQueryValueKey  (296,  (296, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01540   476   NtQueryValueKey  (296,  (296, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (296, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01541   476   NtClose  (296, ... ) == 0x0
 01542   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01543   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01544   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01545   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01546   476   NtQueryValueKey  (296,  (296, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01547   476   NtClose  (296, ... ) == 0x0
 01548   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01549   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01550   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01551   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01552   476   NtQueryValueKey  (296,  (296, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01553   476   NtClose  (296, ... ) == 0x0
 01554   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01555   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01556   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01558   476   NtQueryValueKey  (296,  (296, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01559   476   NtClose  (296, ... ) == 0x0
 01560   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01561   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01562   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01564   476   NtQueryValueKey  (296,  (296, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   476   NtClose  (296, ... ) == 0x0
 01566   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01567   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01568   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01569   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01570   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01571   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01572   476   NtQueryValueKey  (296,  (296, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   476   NtClose  (296, ... ) == 0x0
 01574   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01575   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01576   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01577   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01578   476   NtQueryValueKey  (296,  (296, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   476   NtClose  (296, ... ) == 0x0
 01580   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01581   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01582   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01583   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 296, ) }, ... 296, ) == 0x0
 01584   476   NtQueryValueKey  (296,  (296, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01585   476   NtClose  (296, ... ) == 0x0
 01586   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01587   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01588   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01589   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0,  (0x2000000, {24, 292, 0x40, 0, 0, "Advanced"}, ... 296, ) }, ... 296, ) == 0x0
 01590   476   NtQueryValueKey  (296,  (296, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01591   476   NtQueryValueKey  (296,  (296, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01592   476   NtQueryValueKey  (296,  (296, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01593   476   NtQueryValueKey  (296,  (296, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01594   476   NtQueryValueKey  (296,  (296, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01595   476   NtQueryValueKey  (296,  (296, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01596   476   NtQueryValueKey  (296,  (296, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01597   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 01598   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 01599   476   NtQueryValueKey  (296,  (296, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01600   476   NtQueryValueKey  (296,  (296, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01601   476   NtQueryValueKey  (296,  (296, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01602   476   NtQueryValueKey  (296,  (296, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (296, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01603   476   NtQueryValueKey  (296,  (296, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01604   476   NtClose  (296, ... ) == 0x0
 01605   476   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1374736, 0,  (0x1f0003, {24, 52, 0x80, 1374736, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 296, ) }, 0, 2147483647, ... 296, ) == STATUS_OBJECT_NAME_EXISTS
 01606   476   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 01607   476   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 01608   476   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01609   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01610   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 01611   476   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01612   476   NtClose  (300, ... ) == 0x0
 01613   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   476   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01616   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01617   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 01618   476   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01619   476   NtClose  (300, ... ) == 0x0
 01620   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   476   NtQueryValueKey  (290,  (290, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01623   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01624   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 01625   476   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01626   476   NtClose  (300, ... ) == 0x0
 01627   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   476   NtQueryValueKey  (290,  (290, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   476   NtQueryKey  (290, Name, 384, ... {Name= (290, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01630   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01631   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 300, ) == 0x0
 01632   476   NtQueryInformationToken  (300, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01633   476   NtClose  (300, ... ) == 0x0
 01634   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635   476   NtOpenKey  (0x1, {24, 290, 0x40, 0, 0,  (0x1, {24, 290, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01637   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01638   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 300, ) }, ... 300, ) == 0x0
 01639   476   NtQueryKey  (302, Name, 384, ... {Name= (302, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01640   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01641   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01642   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01643   476   NtClose  (304, ... ) == 0x0
 01644   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   476   NtOpenKey  (0x1, {24, 302, 0x40, 0, 0,  (0x1, {24, 302, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01647   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01648   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01649   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01650   476   NtClose  (304, ... ) == 0x0
 01651   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   476   NtQueryValueKey  (290,  (290, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01653   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01654   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01655   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01656   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01657   476   NtClose  (304, ... ) == 0x0
 01658   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   476   NtQueryValueKey  (290,  (290, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (290, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01660   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01661   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01662   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 01663   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01664   476   NtClose  (304, ... ) == 0x0
 01665   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01666   476   NtQueryValueKey  (290,  (290, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01667   476   NtClose  (290, ... ) == 0x0
 01668   476   NtClose  (302, ... ) == 0x0
 01669   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01670   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1236608, 616, BothDirectory, 1,  (300, 0, 0, 0, 1236608, 616, BothDirectory, 1, "Common Files", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01671   476   NtClose  (300, ... ) == 0x0
 01672   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01673   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01674   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1233524, ... ) }, 1233524, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01675   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01676   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01677   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01678   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1236524, 616, BothDirectory, 1,  (300, 0, 0, 0, 1236524, 616, BothDirectory, 1, "delsim", 0, ... {status=0x0, info=106}, ) , 0, ... {status=0x0, info=106}, ) == 0x0
 01679   476   NtClose  (300, ... ) == 0x0
 01680   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Program Files\Common Files\delsim\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01681   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1236456, 616, BothDirectory, 1,  (300, 0, 0, 0, 1236456, 616, BothDirectory, 1, "del.exe", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01682   476   NtClose  (300, ... ) == 0x0
 01683   476   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 01684   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01685   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01686   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01687   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01688   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01689   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01690   476   NtQueryValueKey  (300,  (300, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01691   476   NtClose  (300, ... ) == 0x0
 01692   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01693   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01694   476   NtSetValueKey  (300,  (300, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (300, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01695   476   NtClose  (300, ... ) == 0x0
 01696   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235868, ... ) }, 1235868, ... ) == 0x0
 01697   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01698   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 300, ... 288, ) == 0x0
 01699   476   NtClose  (300, ... ) == 0x0
 01700   476   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 262144, ) == 0x0
 01701   476   NtClose  (288, ... ) == 0x0
 01702   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01703   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01704   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01705   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01706   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 300, ) }, ... 300, ) == 0x0
 01707   476   NtClose  (288, ... ) == 0x0
 01708   476   NtQueryValueKey  (300,  (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01709   476   NtClose  (300, ... ) == 0x0
 01710   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01711   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235772, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235772, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01712   476   NtClose  (300, ... ) == 0x0
 01713   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01714   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235676, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235676, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01715   476   NtClose  (300, ... ) == 0x0
 01716   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01717   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235596, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235596, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01718   476   NtClose  (300, ... ) == 0x0
 01719   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01720   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01721   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1230968, ... ) }, 1230968, ... ) == 0x0
 01722   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01723   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01724   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01725   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01726   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01727   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01728   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01729   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01730   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01731   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01732   476   NtClose  (300, ... ) == 0x0
 01733   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01734   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01735   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01736   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01737   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01738   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01739   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01740   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01741   476   NtClose  (300, ... ) == 0x0
 01742   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01743   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01744   476   NtClose  (300, ... ) == 0x0
 01745   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01746   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01747   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1230968, ... ) }, 1230968, ... ) == 0x0
 01748   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01749   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01750   476   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 01751   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01752   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01753   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01754   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01755   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01756   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01757   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01758   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01759   476   NtClose  (300, ... ) == 0x0
 01760   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01761   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01762   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01763   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01764   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01765   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01766   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01767   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01768   476   NtClose  (300, ... ) == 0x0
 01769   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01770   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01771   476   NtClose  (300, ... ) == 0x0
 01772   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01773   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01774   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233024, ... ) }, 1233024, ... ) == 0x0
 01775   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01776   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01777   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01778   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01779   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01780   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01781   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01782   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01783   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01784   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01785   476   NtClose  (300, ... ) == 0x0
 01786   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01787   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01788   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231304, ... ) }, 1231304, ... ) == 0x0
 01789   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01790   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01791   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01792   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01793   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01794   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01795   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01796   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01797   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01798   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01799   476   NtClose  (300, ... ) == 0x0
 01800   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01801   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01802   476   NtClose  (300, ... ) == 0x0
 01803   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01804   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01805   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231304, ... ) }, 1231304, ... ) == 0x0
 01806   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01809   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01810   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01811   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01812   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01813   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01814   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01815   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01816   476   NtClose  (300, ... ) == 0x0
 01817   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01818   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01819   476   NtClose  (300, ... ) == 0x0
 01820   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01821   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01822   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231304, ... ) }, 1231304, ... ) == 0x0
 01823   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01824   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01825   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01826   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01827   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01828   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01829   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 83, 4096, 4, ... 10747904, 4096, ) == 0x0
 01830   476   NtReadFile  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (300, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01831   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01832   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01833   476   NtClose  (300, ... ) == 0x0
 01834   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01835   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01836   476   NtClose  (300, ... ) == 0x0
 01837   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01838   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01839   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01840   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01841   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01842   476   NtQueryValueKey  (300,  (300, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01843   476   NtClose  (300, ... ) == 0x0
 01844   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01845   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01846   476   NtSetValueKey  (300,  (300, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (300, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01847   476   NtClose  (300, ... ) == 0x0
 01848   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235868, ... ) }, 1235868, ... ) == 0x0
 01849   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01850   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 300, ... 288, ) == 0x0
 01851   476   NtClose  (300, ... ) == 0x0
 01852   476   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 262144, ) == 0x0
 01853   476   NtClose  (288, ... ) == 0x0
 01854   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01855   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01856   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01857   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01858   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 300, ) }, ... 300, ) == 0x0
 01859   476   NtClose  (288, ... ) == 0x0
 01860   476   NtQueryValueKey  (300,  (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01861   476   NtClose  (300, ... ) == 0x0
 01862   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01863   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235776, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235776, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01864   476   NtClose  (300, ... ) == 0x0
 01865   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01866   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235684, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235684, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01867   476   NtClose  (300, ... ) == 0x0
 01868   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01869   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235612, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235612, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01870   476   NtClose  (300, ... ) == 0x0
 01871   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1230984, ... ) }, 1230984, ... ) == 0x0
 01874   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01877   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01878   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01880   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 142, 4096, 4, ... 10747904, 4096, ) == 0x0
 01881   476   NtReadFile  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01882   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01883   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01884   476   NtClose  (300, ... ) == 0x0
 01885   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01886   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01887   476   NtClose  (300, ... ) == 0x0
 01888   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01889   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01890   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1230956, ... ) }, 1230956, ... ) == 0x0
 01891   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01892   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01893   476   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01894   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01895   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01896   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01897   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01898   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 142, 4096, 4, ... 10747904, 4096, ) == 0x0
 01899   476   NtReadFile  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01900   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01901   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01902   476   NtClose  (300, ... ) == 0x0
 01903   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01904   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01905   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1231320, ... ) }, 1231320, ... ) == 0x0
 01906   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01907   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01908   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01909   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01910   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01911   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01912   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 142, 4096, 4, ... 10747904, 4096, ) == 0x0
 01913   476   NtReadFile  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01914   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01915   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01916   476   NtClose  (300, ... ) == 0x0
 01917   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01918   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01919   476   NtClose  (300, ... ) == 0x0
 01920   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01921   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01922   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1231320, ... ) }, 1231320, ... ) == 0x0
 01923   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01924   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01925   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01926   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01927   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01928   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01929   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 142, 4096, 4, ... 10747904, 4096, ) == 0x0
 01930   476   NtReadFile  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01931   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01932   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01933   476   NtClose  (300, ... ) == 0x0
 01934   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01935   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01936   476   NtClose  (300, ... ) == 0x0
 01937   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01938   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01939   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1231320, ... ) }, 1231320, ... ) == 0x0
 01940   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01941   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01942   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 300, {status=0x0, info=1}, ) }, 7, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01943   476   NtLockFile  (300, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01944   476   NtQueryInformationFile  (300, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01945   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10747904, 1052672, ) == 0x0
 01946   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 142, 4096, 4, ... 10747904, 4096, ) == 0x0
 01947   476   NtReadFile  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (300, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01948   476   NtFreeVirtualMemory  (-1, (0xa40000), 1052672, 32768, ... (0xa40000), 1052672, ) == 0x0
 01949   476   NtUnlockFile  (300, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 01950   476   NtClose  (300, ... ) == 0x0
 01951   476   NtOpenProcessToken  (-1, 0x8, ... 300, ) == 0x0
 01952   476   NtQueryInformationToken  (300, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01953   476   NtClose  (300, ... ) == 0x0
 01954   476   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 01955   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01956   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01957   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01958   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01959   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01960   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01961   476   NtQueryValueKey  (300,  (300, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01962   476   NtClose  (300, ... ) == 0x0
 01963   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01964   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01965   476   NtSetValueKey  (300,  (300, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (300, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01966   476   NtClose  (300, ... ) == 0x0
 01967   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235868, ... ) }, 1235868, ... ) == 0x0
 01968   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 01969   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 300, ... 288, ) == 0x0
 01970   476   NtClose  (300, ... ) == 0x0
 01971   476   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 262144, ) == 0x0
 01972   476   NtClose  (288, ... ) == 0x0
 01973   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 01974   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01975   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01976   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 01977   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 300, ) }, ... 300, ) == 0x0
 01978   476   NtClose  (288, ... ) == 0x0
 01979   476   NtQueryValueKey  (300,  (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01980   476   NtClose  (300, ... ) == 0x0
 01981   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01982   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235784, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235784, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01983   476   NtClose  (300, ... ) == 0x0
 01984   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01985   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235696, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235696, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01986   476   NtClose  (300, ... ) == 0x0
 01987   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 01988   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235628, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235628, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01989   476   NtClose  (300, ... ) == 0x0
 01990   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01991   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01992   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 01993   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 01994   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01995   476   NtQueryValueKey  (300,  (300, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (300, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01996   476   NtClose  (300, ... ) == 0x0
 01997   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01998   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 300, 2, ) }, 0, 0x0, 0, ... 300, 2, ) == 0x0
 01999   476   NtSetValueKey  (300,  (300, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (300, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 02000   476   NtClose  (300, ... ) == 0x0
 02001   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235868, ... ) }, 1235868, ... ) == 0x0
 02002   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 300, {status=0x0, info=1}, ) }, 5, 96, ... 300, {status=0x0, info=1}, ) == 0x0
 02003   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 300, ... 288, ) == 0x0
 02004   476   NtClose  (300, ... ) == 0x0
 02005   476   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa40000), 0x0, 262144, ) == 0x0
 02006   476   NtClose  (288, ... ) == 0x0
 02007   476   NtUnmapViewOfSection  (-1, 0xa40000, ... ) == 0x0
 02008   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02009   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02010   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 288, ) }, ... 288, ) == 0x0
 02011   476   NtOpenKey  (0x2000000, {24, 288, 0x40, 0, 0,  (0x2000000, {24, 288, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 300, ) }, ... 300, ) == 0x0
 02012   476   NtClose  (288, ... ) == 0x0
 02013   476   NtQueryValueKey  (300,  (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (300, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02014   476   NtClose  (300, ... ) == 0x0
 02015   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 02016   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235780, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235780, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02017   476   NtClose  (300, ... ) == 0x0
 02018   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 02019   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235692, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235692, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02020   476   NtClose  (300, ... ) == 0x0
 02021   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 300, {status=0x0, info=1}, ) }, 3, 16417, ... 300, {status=0x0, info=1}, ) == 0x0
 02022   476   NtQueryDirectoryFile  (300, 0, 0, 0, 1235624, 616, BothDirectory, 1,  (300, 0, 0, 0, 1235624, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02023   476   NtClose  (300, ... ) == 0x0
 02024   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02025   476   NtOpenKey  (0x2000000, {24, 292, 0x40, 0, 0,  (0x2000000, {24, 292, 0x40, 0, 0, "FileExts"}, ... 300, ) }, ... 300, ) == 0x0
 02026   476   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02027   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02028   476   NtOpenKey  (0x2000000, {24, 300, 0x40, 0, 0,  (0x2000000, {24, 300, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02029   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02030   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 288, ) }, ... 288, ) == 0x0
 02032   476   NtQueryKey  (290, Name, 392, ... {Name= (290, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 02033   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02034   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02035   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02036   476   NtClose  (304, ... ) == 0x0
 02037   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   476   NtQueryValueKey  (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (290, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="e\0x\0e\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02039   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02040   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\exefile"}, ... 304, ) }, ... 304, ) == 0x0
 02042   476   NtQueryKey  (306, Name, 384, ... {Name= (306, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02043   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02044   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 02045   476   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02046   476   NtClose  (308, ... ) == 0x0
 02047   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02048   476   NtOpenKey  (0x1, {24, 306, 0x40, 0, 0,  (0x1, {24, 306, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02049   476   NtQueryKey  (306, Name, 384, ... {Name= (306, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02050   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02051   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 02052   476   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02053   476   NtClose  (308, ... ) == 0x0
 02054   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02055   476   NtOpenKey  (0x2000000, {24, 306, 0x40, 0, 0, ""}, ... 308, ) == 0x0
 02056   476   NtClose  (306, ... ) == 0x0
 02057   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 02058   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 02059   476   NtReleaseSemaphore  (296, 1, ... 0, ) == 0x0
 02060   476   NtWaitForSingleObject  (296, 0, {0, 0}, ... ) == 0x0
 02061   476   NtQueryKey  (310, Name, 384, ... {Name= (310, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02062   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02063   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02064   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02065   476   NtClose  (304, ... ) == 0x0
 02066   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   476   NtOpenKey  (0x1, {24, 310, 0x40, 0, 0,  (0x1, {24, 310, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02068   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02069   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02070   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02072   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, ".exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02073   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.exe"}, ... 304, ) }, ... 304, ) == 0x0
 02074   476   NtQueryKey  (306, Name, 392, ... {Name= (306, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.exeo"}, 82, ) }, 82, ) == 0x0
 02075   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02076   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 02077   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02078   476   NtClose  (312, ... ) == 0x0
 02079   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02080   476   NtQueryValueKey  (306,  (306, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   476   NtClose  (306, ... ) == 0x0
 02082   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02083   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02085   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   476   NtClose  (304, ... ) == 0x0
 02087   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   476   NtQueryValueKey  (310,  (310, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02090   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02091   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02092   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02093   476   NtClose  (304, ... ) == 0x0
 02094   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   476   NtQueryValueKey  (310,  (310, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02096   476   NtQueryKey  (310, Name, 384, ... {Name= (310, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02097   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02098   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02099   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02100   476   NtClose  (304, ... ) == 0x0
 02101   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02102   476   NtOpenKey  (0x1, {24, 310, 0x40, 0, 0,  (0x1, {24, 310, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02104   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02105   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 304, ) }, ... 304, ) == 0x0
 02106   476   NtQueryKey  (306, Name, 384, ... {Name= (306, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02107   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02108   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 02109   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02110   476   NtClose  (312, ... ) == 0x0
 02111   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02112   476   NtOpenKey  (0x1, {24, 306, 0x40, 0, 0,  (0x1, {24, 306, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02113   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02114   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02115   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 02116   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02117   476   NtClose  (312, ... ) == 0x0
 02118   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02119   476   NtQueryValueKey  (310,  (310, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02120   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02121   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02122   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 02123   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02124   476   NtClose  (312, ... ) == 0x0
 02125   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02126   476   NtQueryValueKey  (310,  (310, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02127   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\exefile"}, 88, ) }, 88, ) == 0x0
 02128   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02129   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 02130   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02131   476   NtClose  (312, ... ) == 0x0
 02132   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\exefile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02133   476   NtQueryValueKey  (310,  (310, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02134   476   NtClose  (290, ... ) == 0x0
 02135   476   NtClose  (310, ... ) == 0x0
 02136   476   NtClose  (306, ... ) == 0x0
 02137   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "LINKINFO.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02138   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\LINKINFO.dll"}, 1237076, ... ) }, 1237076, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02139   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "LINKINFO.dll"}, 1237076, ... ) }, 1237076, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02140   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\LINKINFO.dll"}, 1237076, ... ) }, 1237076, ... ) == 0x0
 02141   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\LINKINFO.dll"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02142   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 308, ) == 0x0
 02143   476   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02144   476   NtClose  (304, ... ) == 0x0
 02145   476   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76980000), 0x0, 28672, ) == 0x0
 02146   476   NtClose  (308, ... ) == 0x0
 02147   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02148   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02149   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02150   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10747904, 65536, ) == 0x0
 02151   476   NtAllocateVirtualMemory  (-1, 10747904, 0, 4096, 4096, 4, ... 10747904, 4096, ) == 0x0
 02152   476   NtAllocateVirtualMemory  (-1, 10752000, 0, 8192, 4096, 4, ... 10752000, 8192, ) == 0x0
 02153   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02154   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Network\SharingHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02155   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Network\SharingHandler"}, ... 308, ) }, ... 308, ) == 0x0
 02156   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandlert"}, 118, ) }, 118, ) == 0x0
 02157   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02158   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 304, ) == 0x0
 02159   476   NtQueryInformationToken  (304, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02160   476   NtClose  (304, ... ) == 0x0
 02161   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Network\SharingHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   476   NtQueryValueKey  (310, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (310, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="n\0t\0s\0h\0r\0u\0i\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02163   476   NtClose  (310, ... ) == 0x0
 02164   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ntshrui.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ntshrui.dll"}, 1234772, ... ) }, 1234772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ntshrui.dll"}, 1234772, ... ) }, 1234772, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02167   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntshrui.dll"}, 1234772, ... ) }, 1234772, ... ) == 0x0
 02168   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntshrui.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02169   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02170   476   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02171   476   NtClose  (308, ... ) == 0x0
 02172   476   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76990000), 0x0, 147456, ) == 0x0
 02173   476   NtClose  (304, ... ) == 0x0
 02174   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1233968, ... ) }, 1233968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02176   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ATL.DLL"}, 1233968, ... ) }, 1233968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1233968, ... ) }, 1233968, ... ) == 0x0
 02178   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 304, {status=0x0, info=1}, ) }, 5, 96, ... 304, {status=0x0, info=1}, ) == 0x0
 02179   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 304, ... 308, ) == 0x0
 02180   476   NtQuerySection  (308, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02181   476   NtClose  (304, ... ) == 0x0
 02182   476   NtMapViewOfSection  (308, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 02183   476   NtClose  (308, ... ) == 0x0
 02184   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02185   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1233968, ... ) }, 1233968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02186   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1233968, ... ) }, 1233968, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1233968, ... ) }, 1233968, ... ) == 0x0
 02188   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02189   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 304, ) == 0x0
 02190   476   NtQuerySection  (304, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02191   476   NtClose  (308, ... ) == 0x0
 02192   476   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 02193   476   NtClose  (304, ... ) == 0x0
 02194   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 304, ) }, ... 304, ) == 0x0
 02195   476   NtMapViewOfSection  (304, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 02196   476   NtClose  (304, ... ) == 0x0
 02197   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02198   476   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10813440, 262144, ) == 0x0
 02199   476   NtAllocateVirtualMemory  (-1, 10813440, 0, 4096, 4096, 4, ... 10813440, 4096, ) == 0x0
 02200   476   NtAllocateVirtualMemory  (-1, 10817536, 0, 8192, 4096, 4, ... 10817536, 8192, ) == 0x0
 02201   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02202   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02203   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 304, ) }, ... 304, ) == 0x0
 02204   476   NtQueryValueKey  (304,  (304, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02205   476   NtClose  (304, ... ) == 0x0
 02206   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 304, ) }, ... 304, ) == 0x0
 02207   476   NtQueryValueKey  (304,  (304, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02208   476   NtClose  (304, ... ) == 0x0
 02209   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 304, ) }, ... 304, ) == 0x0
 02210   476   NtQueryValueKey  (304,  (304, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (304, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02211   476   NtClose  (304, ... ) == 0x0
 02212   476   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1234396, 0,  (0x1f0003, {24, 52, 0x80, 1234396, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 304, ) }, 0, 1, ... 304, ) == STATUS_OBJECT_NAME_EXISTS
 02213   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02214   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02215   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02216   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02217   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02218   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02219   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02220   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02221   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02222   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02223   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02224   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02225   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02226   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02227   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02228   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02229   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02230   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02231   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02232   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02233   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02234   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02235   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02236   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02237   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02238   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02239   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02240   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 308, ) == 0x0
 02241   476   NtQueryInformationToken  (308, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02242   476   NtClose  (308, ... ) == 0x0
 02243   476   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 308, ) }, ... 308, ) == 0x0
 02244   476   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 288, ) }, ... 288, ) == 0x0
 02245   476   NtQueryValueKey  (288,  (288, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 02246   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02247   476   NtQueryValueKey  (288,  (288, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (288, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 02248   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02249   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02250   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02251   476   NtQueryDefaultLocale  (1, 1232232, ... ) == 0x0
 02252   476   NtClose  (288, ... ) == 0x0
 02253   476   NtClose  (308, ... ) == 0x0
 02254   476   NtAllocateVirtualMemory  (-1, 8679424, 0, 4096, 4096, 4, ... 8679424, 4096, ) == 0x0
 02255   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 308, ) }, ... 308, ) == 0x0
 02256   476   NtQueryValueKey  (308,  (308, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02257   476   NtClose  (308, ... ) == 0x0
 02258   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 308, ) }, ... 308, ) == 0x0
 02259   476   NtQueryValueKey  (308,  (308, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   476   NtQueryValueKey  (308,  (308, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02261   476   NtClose  (308, ... ) == 0x0
 02262   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 308, ) }, ... 308, ) == 0x0
 02264   476   NtQueryValueKey  (308,  (308, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   476   NtClose  (308, ... ) == 0x0
 02266   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02267   476   NtQueryDefaultUILanguage  (1233144, ...
 02268   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02269   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 02270   476   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02271   476   NtClose  (-2147482020, ... ) == 0x0
 02272   476   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 02273   476   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   476   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02275   476   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   476   NtClose  (-2147482032, ... ) == 0x0
 02277   476   NtClose  (-2147482020, ... ) == 0x0
 02267   476   NtQueryDefaultUILanguage  ... ) == 0x0
 02278   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02279   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntshrui.dll"}, 1, 96, ... 308, {status=0x0, info=1}, ) }, 1, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 02280   476   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 308, ... 288, ) == 0x0
 02281   476   NtMapViewOfSection  (288, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa90000), 0x0, 139264, ) == 0x0
 02282   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntshrui.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02283   476   NtQueryDefaultLocale  (1, 1231180, ... ) == 0x0
 02284   476   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ntshrui.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02285   476   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1232036, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1232036, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\320\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\1\0\0\377\377\377\377\0\0\0\0p\250\251\0\0\0\0\0y\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\244\323\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1578, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\320\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\1\0\0\377\377\377\377\0\0\0\0p\250\251\0\0\0\0\0y\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\244\323\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 476, 1578, 0}  (24, {128, 156, new_msg, 0, 1232036, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\320\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\1\0\0\377\377\377\377\0\0\0\0p\250\251\0\0\0\0\0y\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\244\323\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 476, 1578, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\320\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\14\1\0\0\377\377\377\377\0\0\0\0p\250\251\0\0\0\0\0y\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\244\323\22\0\0\0\0\0" )  ) == 0x0
 02286   476   NtClose  (308, ... ) == 0x0
 02287   476   NtClose  (288, ... ) == 0x0
 02288   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02289   476   NtUnmapViewOfSection  (-1, 0x12d3a4, ... ) == STATUS_NOT_MAPPED_VIEW
 02290   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02291   476   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 02292   476   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02293   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02294   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02295   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1230264, ... ) }, 1230264, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02297   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02298   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02299   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1230856, ... ) }, 1230856, ... ) == 0x0
 02300   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 288, {status=0x0, info=1}, ) }, 3, 33, ... 288, {status=0x0, info=1}, ) == 0x0
 02301   476   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02302   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02303   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 308, {status=0x0, info=1}, ) }, 3, 16417, ... 308, {status=0x0, info=1}, ) == 0x0
 02304   476   NtQueryInformationFile  (308, 1236276, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 02305   476   NtQueryVolumeInformationFile  (308, 1401200, 544, Volume, ... {status=0x0, info=18}, ) == 0x0
 02306   476   NtClose  (308, ... ) == 0x0
 02307   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02308   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02309   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 308, ) == 0x0
 02310   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02311   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02312   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234632,  (0xc0100080, {24, 0, 0x40, 0, 1234632, "\??\PIPE\srvsvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 02313   476   NtSetInformationFile  (312, 1234688, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02314   476   NtSetInformationFile  (312, 1234680, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02315   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02316   476   NtWriteFile  (312, 261, 0, 0,  (312, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\310O2Kp\26\323\1\22xZG\277n\341\210\3\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02317   476   NtReadFile  (312, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02318   476   NtFsControlFile  (312, 261, 0x0, 0x0, 0x11c017,  (312, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\17\0\0\0\0\0\366\1\0\0\366\1\0\04\335\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 56, 1024, ... {status=0x103, info=68},  (312, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\08\0\0\0\1\0\0\0 \0\0\0\0\0\17\0\0\0\0\0\366\1\0\0\366\1\0\04\335\22\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0", 56, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\206"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02319   476   NtClose  (308, ... ) == 0x0
 02320   476   NtClose  (312, ... ) == 0x0
 02321   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 312, ) }, ... 312, ) == 0x0
 02322   476   NtQueryValueKey  (312,  (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02323   476   NtClose  (312, ... ) == 0x0
 02324   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02325   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 312, ) == 0x0
 02326   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02327   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02328   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234652,  (0xc0100080, {24, 0, 0x40, 0, 1234652, "\??\PIPE\srvsvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 308, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 308, {status=0x0, info=1}, ) == 0x0
 02329   476   NtSetInformationFile  (308, 1234708, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02330   476   NtSetInformationFile  (308, 1234700, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02331   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02332   476   NtWriteFile  (308, 261, 0, 0,  (308, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\310O2Kp\26\323\1\22xZG\277n\341\210\3\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02333   476   NtReadFile  (308, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (308, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\207"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02334   476   NtFsControlFile  (308, 261, 0x0, 0x0, 0x11c017,  (308, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\1\0\0\0,\0\0\0\0\0\20\0\24&\231v\1\0\0\0\0\0\0\0\1\0\0\0\0\0ZG\3\0\0\0\0\0\0\0\3\0\0\0C\0$\0\0\0\10\0\365\1\0\0", 68, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\207"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 68, 1024, ... {status=0x103, info=68},  (308, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0D\0\0\0\1\0\0\0,\0\0\0\0\0\20\0\24&\231v\1\0\0\0\0\0\0\0\1\0\0\0\0\0ZG\3\0\0\0\0\0\0\0\3\0\0\0C\0$\0\0\0\10\0\365\1\0\0", 68, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\207"\0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\srvsvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02335   476   NtClose  (312, ... ) == 0x0
 02336   476   NtClose  (308, ... ) == 0x0
 02337   476   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 308, ) }, ... 308, ) == 0x0
 02338   476   NtOpenKey  (0x20019, {24, 308, 0x40, 0, 0,  (0x20019, {24, 308, 0x40, 0, 0, "ActiveComputerName"}, ... 312, ) }, ... 312, ) == 0x0
 02339   476   NtQueryValueKey  (312,  (312, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (312, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (312, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02340   476   NtClose  (312, ... ) == 0x0
 02341   476   NtClose  (308, ... ) == 0x0
 02342   476   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238452,  (0x100080, {24, 0, 0x40, 0, 1238452, "\??\C:\Program Files\Common Files\delsim\del.exe"}, 0x0, 128, 7, 1, 16416, 0, 0, ... 308, {status=0x0, info=1}, ) }, 0x0, 128, 7, 1, 16416, 0, 0, ... 308, {status=0x0, info=1}, ) == 0x0
 02343   476   NtQueryVolumeInformationFile  (308, 1238336, 24, Volume, ... {status=0x0, info=18}, ) == 0x0
 02344   476   NtQueryInformationFile  (308, 1238360, 104, All, ... ) == STATUS_BUFFER_OVERFLOW
 02345   476   NtFsControlFile  (308, 0, 0x0, 0x0, 0x900c0, 0x0, 0, 64, ... ) == STATUS_INVALID_DEVICE_REQUEST
 02346   476   NtClose  (308, ... ) == 0x0
 02347   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02348   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02349   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\del.lnk"}, 1240420, ... ) }, 1240420, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02351   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02352   476   NtCreateFile  (0x80100180, {24, 0, 0x40, 0, 1241376,  (0x80100180, {24, 0, 0x40, 0, 1241376, "\??\C:\Program Files\Common Files\delsim\del.exe"}, 0x0, 0, 3, 1, 96, 0, 0, ... 308, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 96, 0, 0, ... 308, {status=0x0, info=1}, ) == 0x0
 02353   476   NtQueryInformationFile  (308, 1241392, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02354   476   NtSetInformationFile  (308, 1241392, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02355   476   NtReadFile  (308, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (308, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\350\0\0\0", ) , ) == 0x0
 02356   476   NtSetInformationFile  (308, 1241432, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02357   476   NtReadFile  (308, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64},  (308, 0, 0, 0, 64, 0x0, 0, ... {status=0x0, info=64}, "PE\0\0L\1\4\0\310\215/F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0\262\0\0\0L\0\0\0\0\0\0\240\255\0\0\0\20\0\0\0\320\0\0\0\0@\0\0\20\0\0\0\2\0\0", ) , ) == 0x0
 02358   476   NtSetInformationFile  (308, 1241432, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02359   476   NtReadFile  (308, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (308, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\4\0\0\0", ) , ) == 0x0
 02360   476   NtSetInformationFile  (308, 1241432, 8, Position, ... {status=0x0, info=0}, ) == 0x0
 02361   476   NtReadFile  (308, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4},  (308, 0, 0, 0, 4, 0x0, 0, ... {status=0x0, info=4}, "\2\0\0\0", ) , ) == 0x0
 02362   476   NtClose  (308, ... ) == 0x0
 02363   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\del.lnk"}, 1240936, ... ) }, 1240936, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02364   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240920,  (0xc0100080, {24, 0, 0x40, 0, 1240920, "\??\C:\Documents and Settings\All Users\Start Menu\del.lnk"}, 0x0, 0, 3, 5, 96, 0, 0, ... }, 0x0, 0, 3, 5, 96, 0, 0, ...
 02365   476   NtClose  (-2147482020, ... ) == 0x0
 02364   476   NtCreateFile  ... 308, {status=0x0, info=2}, ) == 0x0
 02366   476   NtUserMessageCall  (0x10076, WM_USER+0x19, 0x0, 0x0, 0, 688, 0, ... ) == 0x1006c
 02367   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02368   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 02369   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02370   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 312, ) }, ... 312, ) == 0x0
 02371   476   NtQueryKey  (314, Name, 392, ... {Name= (314, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 02372   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02373   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 02374   476   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02375   476   NtClose  (316, ... ) == 0x0
 02376   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02377   476   NtEnumerateKey  (314, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (314, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 02378   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02379   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02380   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 316, ) }, ... 316, ) == 0x0
 02381   476   NtQueryKey  (318, Name, 392, ... {Name= (318, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 02382   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02383   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 02384   476   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02385   476   NtClose  (320, ... ) == 0x0
 02386   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02387   476   NtQueryValueKey  (318,  (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 02388   476   NtClose  (318, ... ) == 0x0
 02389   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02390   476   NtEnumerateKey  (314, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02391   476   NtClose  (314, ... ) == 0x0
 02392   476   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 02393   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 02394   476   NtCreateSection  (0xf0007, 0x0, {396, 0}, 4, 134217728, 0, ... 312, ) == 0x0
 02395   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 02396   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 316, ) == 0x0
 02397   476   NtDuplicateObject  (-1, 312, 316, 0xf001f, 0, 2, ... 924, ) == 0x0
 02398   476   NtClose  (316, ... ) == 0x0
 02399   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 02400   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02401   476   NtClose  (312, ... ) == 0x0
 02402   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 312, ) == 0x0
 02403   476   NtDuplicateObject  (312, 924, -1, 0xf001f, 0, 2, ... 316, ) == 0x0
 02404   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 02405   476   NtClose  (312, ... ) == 0x0
 02406   476   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 02407   476   NtClose  (316, ... ) == 0x0
 02408   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02409   476   NtUserMessageCall  (0x1006c, WM_USER+0x3, 0x39c, 0x774, 0, 695, 0, ... ) == 0x1
 02410   476   NtAllocateVirtualMemory  (-1, 1433600, 0, 8192, 4096, 4, ... 1433600, 8192, ) == 0x0
 02411   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02412   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02413   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02414   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02415   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02416   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02417   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02418   476   NtQueryValueKey  (316,  (316, "Start Menu", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0"}, 62, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "Start Menu", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0"}, 62, ) }, 62, ) == 0x0
 02419   476   NtClose  (316, ... ) == 0x0
 02420   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02421   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02422   476   NtSetValueKey  (316,  (316, "Start Menu", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0", 92, ... ) , 0, 1,  (316, "Start Menu", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\0\0", 92, ... ) , 92, ... ) == 0x0
 02423   476   NtClose  (316, ... ) == 0x0
 02424   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02425   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02426   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02427   476   NtClose  (316, ... ) == 0x0
 02428   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02429   476   NtClose  (312, ... ) == 0x0
 02430   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02431   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02432   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02433   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02434   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02435   476   NtClose  (312, ... ) == 0x0
 02436   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02437   476   NtClose  (316, ... ) == 0x0
 02438   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02439   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238424, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238424, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02440   476   NtClose  (316, ... ) == 0x0
 02441   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02442   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238332, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238332, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02443   476   NtClose  (316, ... ) == 0x0
 02444   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02445   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238256, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238256, 616, BothDirectory, 1, "Start Menu", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02446   476   NtClose  (316, ... ) == 0x0
 02447   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02448   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02449   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 1233628, ... ) }, 1233628, ... ) == 0x0
 02450   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02451   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02452   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02453   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02454   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02455   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02456   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02457   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12", ) , ) == 0x0
 02458   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02459   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02460   476   NtClose  (316, ... ) == 0x0
 02461   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02462   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02463   476   NtClose  (316, ... ) == 0x0
 02464   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02465   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02466   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 1233600, ... ) }, 1233600, ... ) == 0x0
 02467   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02468   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02469   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02470   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02471   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02472   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02473   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02474   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12", ) , ) == 0x0
 02475   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02476   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02477   476   NtClose  (316, ... ) == 0x0
 02478   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02479   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02480   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 1233964, ... ) }, 1233964, ... ) == 0x0
 02481   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02482   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02483   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02484   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02485   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02486   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02487   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02488   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12", ) , ) == 0x0
 02489   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02490   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02491   476   NtClose  (316, ... ) == 0x0
 02492   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02493   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02494   476   NtClose  (316, ... ) == 0x0
 02495   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02496   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02497   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 1233964, ... ) }, 1233964, ... ) == 0x0
 02498   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02499   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02500   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02501   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02502   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02503   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02504   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02505   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12", ) , ) == 0x0
 02506   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02507   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02508   476   NtClose  (316, ... ) == 0x0
 02509   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02510   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02511   476   NtClose  (316, ... ) == 0x0
 02512   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02513   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02514   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 1233964, ... ) }, 1233964, ... ) == 0x0
 02515   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02516   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02517   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02518   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02519   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02520   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02521   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02522   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12", ) , ) == 0x0
 02523   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02524   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02525   476   NtClose  (316, ... ) == 0x0
 02526   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02527   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02528   476   NtClose  (316, ... ) == 0x0
 02529   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02530   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02531   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02532   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02533   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02534   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02535   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02536   476   NtClose  (316, ... ) == 0x0
 02537   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02538   476   NtClose  (312, ... ) == 0x0
 02539   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02540   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02541   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02542   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02543   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02544   476   NtClose  (312, ... ) == 0x0
 02545   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02546   476   NtClose  (316, ... ) == 0x0
 02547   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02548   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238424, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238424, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02549   476   NtClose  (316, ... ) == 0x0
 02550   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02551   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238328, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238328, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02552   476   NtClose  (316, ... ) == 0x0
 02553   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02554   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238252, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238252, 616, BothDirectory, 1, "Start Menu", 0, ... {status=0x0, info=114}, ) , 0, ... {status=0x0, info=114}, ) == 0x0
 02555   476   NtClose  (316, ... ) == 0x0
 02556   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02557   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02558   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 1233624, ... ) }, 1233624, ... ) == 0x0
 02559   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02560   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02561   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02562   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02563   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02564   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048794, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02565   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 218, 4096, 4, ... 11337728, 4096, ) == 0x0
 02566   476   NtReadFile  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214},  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12[LocalizedFileNames]\15\12Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075\15\12Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000\15\12", ) , ) == 0x0
 02567   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02568   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02569   476   NtClose  (316, ... ) == 0x0
 02570   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02571   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02572   476   NtClose  (316, ... ) == 0x0
 02573   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02574   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02575   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 1233596, ... ) }, 1233596, ... ) == 0x0
 02576   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02577   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02578   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02579   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02580   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02581   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048794, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02582   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 218, 4096, 4, ... 11337728, 4096, ) == 0x0
 02583   476   NtReadFile  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214},  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12[LocalizedFileNames]\15\12Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075\15\12Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000\15\12", ) , ) == 0x0
 02584   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02585   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02586   476   NtClose  (316, ... ) == 0x0
 02587   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02588   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02589   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 1233960, ... ) }, 1233960, ... ) == 0x0
 02590   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02591   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02592   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02593   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02594   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02595   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048794, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02596   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 218, 4096, 4, ... 11337728, 4096, ) == 0x0
 02597   476   NtReadFile  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214},  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12[LocalizedFileNames]\15\12Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075\15\12Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000\15\12", ) , ) == 0x0
 02598   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02599   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02600   476   NtClose  (316, ... ) == 0x0
 02601   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02602   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02603   476   NtClose  (316, ... ) == 0x0
 02604   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02605   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02606   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 1233960, ... ) }, 1233960, ... ) == 0x0
 02607   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02608   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02609   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02610   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02611   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02612   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048794, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02613   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 218, 4096, 4, ... 11337728, 4096, ) == 0x0
 02614   476   NtReadFile  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214},  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12[LocalizedFileNames]\15\12Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075\15\12Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000\15\12", ) , ) == 0x0
 02615   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02616   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02617   476   NtClose  (316, ... ) == 0x0
 02618   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02619   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02620   476   NtClose  (316, ... ) == 0x0
 02621   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02622   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02623   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 1233960, ... ) }, 1233960, ... ) == 0x0
 02624   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02625   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02626   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02627   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02628   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02629   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048794, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02630   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 218, 4096, 4, ... 11337728, 4096, ) == 0x0
 02631   476   NtReadFile  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214},  (316, 0, 0, 0, 214, 0x0, 2012046884, ... {status=0x0, info=214}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21786\15\12[LocalizedFileNames]\15\12Windows Catalog.lnk=@%SystemRoot%\system32\shell32.dll,-22075\15\12Activate Windows.lnk=@%SystemRoot%\system32\oobe\msoobe.exe,-2000\15\12", ) , ) == 0x0
 02632   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02633   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02634   476   NtClose  (316, ... ) == 0x0
 02635   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02636   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02637   476   NtClose  (316, ... ) == 0x0
 02638   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02639   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02640   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02641   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02642   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02643   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02644   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02645   476   NtQueryValueKey  (316,  (316, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 02646   476   NtClose  (316, ... ) == 0x0
 02647   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02648   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02649   476   NtSetValueKey  (316,  (316, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (316, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 02650   476   NtClose  (316, ... ) == 0x0
 02651   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02652   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02653   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02654   476   NtClose  (316, ... ) == 0x0
 02655   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02656   476   NtClose  (312, ... ) == 0x0
 02657   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02658   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02659   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02660   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02661   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02662   476   NtClose  (312, ... ) == 0x0
 02663   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02664   476   NtClose  (316, ... ) == 0x0
 02665   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02666   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238412, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238412, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02667   476   NtClose  (316, ... ) == 0x0
 02668   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02669   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238304, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238304, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02670   476   NtClose  (316, ... ) == 0x0
 02671   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02672   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238216, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238216, 616, BothDirectory, 1, "Application Data", 0, ... {status=0x0, info=126}, ) , 0, ... {status=0x0, info=126}, ) == 0x0
 02673   476   NtClose  (316, ... ) == 0x0
 02674   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02675   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02676   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 1233588, ... ) }, 1233588, ... ) == 0x0
 02677   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02678   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02679   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02680   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02681   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02682   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02683   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02684   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02685   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02686   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02687   476   NtClose  (316, ... ) == 0x0
 02688   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02689   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02690   476   NtClose  (316, ... ) == 0x0
 02691   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02692   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02693   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 1233560, ... ) }, 1233560, ... ) == 0x0
 02694   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02695   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02696   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02697   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02698   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02699   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02700   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02701   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02702   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02703   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02704   476   NtClose  (316, ... ) == 0x0
 02705   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02706   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02707   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 1233924, ... ) }, 1233924, ... ) == 0x0
 02708   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02709   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02710   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02711   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02712   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02713   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02714   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02715   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02716   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02717   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02718   476   NtClose  (316, ... ) == 0x0
 02719   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02720   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02721   476   NtClose  (316, ... ) == 0x0
 02722   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02723   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02724   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 1233924, ... ) }, 1233924, ... ) == 0x0
 02725   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02726   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02727   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02728   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02729   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02730   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02731   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02732   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02733   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02734   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02735   476   NtClose  (316, ... ) == 0x0
 02736   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02737   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02738   476   NtClose  (316, ... ) == 0x0
 02739   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02740   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02741   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 1233924, ... ) }, 1233924, ... ) == 0x0
 02742   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02743   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02744   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02745   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02746   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02747   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02748   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02749   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02750   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02751   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02752   476   NtClose  (316, ... ) == 0x0
 02753   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02754   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02755   476   NtClose  (316, ... ) == 0x0
 02756   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02757   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02758   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02759   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02760   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02761   476   NtQueryValueKey  (316,  (316, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02762   476   NtClose  (316, ... ) == 0x0
 02763   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02764   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02765   476   NtSetValueKey  (316,  (316, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (316, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02766   476   NtClose  (316, ... ) == 0x0
 02767   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02768   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02769   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02770   476   NtClose  (316, ... ) == 0x0
 02771   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02772   476   NtClose  (312, ... ) == 0x0
 02773   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02774   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02775   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02776   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02777   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02778   476   NtClose  (312, ... ) == 0x0
 02779   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02780   476   NtClose  (316, ... ) == 0x0
 02781   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02782   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238412, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238412, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02783   476   NtClose  (316, ... ) == 0x0
 02784   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02785   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238308, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238308, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02786   476   NtClose  (316, ... ) == 0x0
 02787   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02788   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238220, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238220, 616, BothDirectory, 1, "Application Data", 0, ... {status=0x0, info=126}, ) , 0, ... {status=0x0, info=126}, ) == 0x0
 02789   476   NtClose  (316, ... ) == 0x0
 02790   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02791   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02792   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 1233592, ... ) }, 1233592, ... ) == 0x0
 02793   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02794   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02795   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02796   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02797   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02798   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02799   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02800   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02801   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02802   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02803   476   NtClose  (316, ... ) == 0x0
 02804   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02805   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02806   476   NtClose  (316, ... ) == 0x0
 02807   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02808   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02809   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 1233564, ... ) }, 1233564, ... ) == 0x0
 02810   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02811   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02812   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02813   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02814   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02815   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02816   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02817   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02818   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02819   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02820   476   NtClose  (316, ... ) == 0x0
 02821   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02822   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02823   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 1233928, ... ) }, 1233928, ... ) == 0x0
 02824   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02825   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02826   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02827   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02828   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02829   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02830   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02831   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02832   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02833   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02834   476   NtClose  (316, ... ) == 0x0
 02835   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02836   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02837   476   NtClose  (316, ... ) == 0x0
 02838   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02839   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02840   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 1233928, ... ) }, 1233928, ... ) == 0x0
 02841   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02842   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02843   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02844   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02845   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02846   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02847   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02848   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02849   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02850   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02851   476   NtClose  (316, ... ) == 0x0
 02852   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02853   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02854   476   NtClose  (316, ... ) == 0x0
 02855   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02856   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02857   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 1233928, ... ) }, 1233928, ... ) == 0x0
 02858   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02859   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02860   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02861   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02862   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02863   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048642, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02864   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 66, 4096, 4, ... 11337728, 4096, ) == 0x0
 02865   476   NtReadFile  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62},  (316, 0, 0, 0, 62, 0x0, 2012046884, ... {status=0x0, info=62}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21765\15\12", ) , ) == 0x0
 02866   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02867   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02868   476   NtClose  (316, ... ) == 0x0
 02869   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 02870   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02871   476   NtClose  (316, ... ) == 0x0
 02872   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02873   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02874   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02875   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02876   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02877   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02878   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02879   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02880   476   NtClose  (316, ... ) == 0x0
 02881   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02882   476   NtClose  (312, ... ) == 0x0
 02883   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02884   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02885   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02886   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02887   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02888   476   NtClose  (312, ... ) == 0x0
 02889   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02890   476   NtClose  (316, ... ) == 0x0
 02891   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02892   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238476, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02893   476   NtClose  (316, ... ) == 0x0
 02894   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02895   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238404, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02896   476   NtClose  (316, ... ) == 0x0
 02897   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02898   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02899   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02900   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02901   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02902   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02903   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02904   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02905   476   NtClose  (316, ... ) == 0x0
 02906   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02907   476   NtClose  (312, ... ) == 0x0
 02908   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02909   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02910   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02911   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02912   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02913   476   NtClose  (312, ... ) == 0x0
 02914   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02915   476   NtClose  (316, ... ) == 0x0
 02916   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02917   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238476, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238476, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02918   476   NtClose  (316, ... ) == 0x0
 02919   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02920   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238404, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238404, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02921   476   NtClose  (316, ... ) == 0x0
 02922   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02923   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02924   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02925   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02926   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02927   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02928   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02929   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02930   476   NtClose  (316, ... ) == 0x0
 02931   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02932   476   NtClose  (312, ... ) == 0x0
 02933   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02934   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02935   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02936   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02937   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02938   476   NtClose  (312, ... ) == 0x0
 02939   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02940   476   NtClose  (316, ... ) == 0x0
 02941   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02942   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238496, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238496, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02943   476   NtClose  (316, ... ) == 0x0
 02944   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02945   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02946   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 02947   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 02948   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02949   476   NtQueryValueKey  (316,  (316, "My Pictures", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0"}, 90, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "My Pictures", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0"}, 90, ) }, 90, ) == 0x0
 02950   476   NtClose  (316, ... ) == 0x0
 02951   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 02952   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 02953   476   NtSetValueKey  (316,  (316, "My Pictures", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0", 120, ... ) , 0, 1,  (316, "My Pictures", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0", 120, ... ) , 120, ... ) == 0x0
 02954   476   NtClose  (316, ... ) == 0x0
 02955   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 02956   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02957   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 02958   476   NtClose  (316, ... ) == 0x0
 02959   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 02960   476   NtClose  (312, ... ) == 0x0
 02961   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 02962   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02963   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02964   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 02965   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 02966   476   NtClose  (312, ... ) == 0x0
 02967   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02968   476   NtClose  (316, ... ) == 0x0
 02969   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02970   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238396, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238396, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02971   476   NtClose  (316, ... ) == 0x0
 02972   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02973   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238276, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238276, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02974   476   NtClose  (316, ... ) == 0x0
 02975   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 02976   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238172, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238172, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 02977   476   NtClose  (316, ... ) == 0x0
 02978   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02979   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02980   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233544, ... ) }, 1233544, ... ) == 0x0
 02981   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02982   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02983   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02984   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02985   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02986   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02987   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 02988   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 02989   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02990   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 02991   476   NtClose  (316, ... ) == 0x0
 02992   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 02993   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02994   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02995   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 02996   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 02997   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 02998   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 02999   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03000   476   NtClose  (316, ... ) == 0x0
 03001   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03002   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03003   476   NtClose  (316, ... ) == 0x0
 03004   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03005   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03006   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233544, ... ) }, 1233544, ... ) == 0x0
 03007   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03008   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03009   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03010   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03011   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03012   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03013   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03014   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03015   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03016   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03017   476   NtClose  (316, ... ) == 0x0
 03018   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03019   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03020   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03021   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03022   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03023   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03024   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03025   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03026   476   NtClose  (316, ... ) == 0x0
 03027   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03028   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03029   476   NtClose  (316, ... ) == 0x0
 03030   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03031   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03032   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1235600, ... ) }, 1235600, ... ) == 0x0
 03033   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03034   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03035   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03036   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03037   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03038   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03039   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03040   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03041   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03042   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03043   476   NtClose  (316, ... ) == 0x0
 03044   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03045   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03046   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233880, ... ) }, 1233880, ... ) == 0x0
 03047   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03048   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03049   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03050   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03051   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03052   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03053   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03054   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03055   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03056   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03057   476   NtClose  (316, ... ) == 0x0
 03058   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03059   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03060   476   NtClose  (316, ... ) == 0x0
 03061   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03062   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03063   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233880, ... ) }, 1233880, ... ) == 0x0
 03064   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03065   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03066   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03067   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03068   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03069   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03070   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03071   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03072   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03073   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03074   476   NtClose  (316, ... ) == 0x0
 03075   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03076   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03077   476   NtClose  (316, ... ) == 0x0
 03078   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03079   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03080   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1233880, ... ) }, 1233880, ... ) == 0x0
 03081   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03082   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03083   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03084   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03085   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03086   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03087   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 83, 4096, 4, ... 11337728, 4096, ) == 0x0
 03088   476   NtReadFile  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (316, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 03089   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03090   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03091   476   NtClose  (316, ... ) == 0x0
 03092   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03093   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03094   476   NtClose  (316, ... ) == 0x0
 03095   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03096   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238096, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238096, 616, BothDirectory, 1, "My Pictures", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03097   476   NtClose  (316, ... ) == 0x0
 03098   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03099   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03100   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1233468, ... ) }, 1233468, ... ) == 0x0
 03101   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03102   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03103   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03104   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03105   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03106   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03107   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03108   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03109   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03110   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03111   476   NtClose  (316, ... ) == 0x0
 03112   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03113   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03114   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03115   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03116   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03117   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03118   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03119   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03120   476   NtClose  (316, ... ) == 0x0
 03121   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03122   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03123   476   NtClose  (316, ... ) == 0x0
 03124   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03125   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03126   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1233468, ... ) }, 1233468, ... ) == 0x0
 03127   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03128   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03129   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03130   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03131   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03132   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03133   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03134   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03135   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03136   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03137   476   NtClose  (316, ... ) == 0x0
 03138   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03139   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03140   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03141   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03142   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03143   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03144   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03145   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03146   476   NtClose  (316, ... ) == 0x0
 03147   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03148   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03149   476   NtClose  (316, ... ) == 0x0
 03150   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03151   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03152   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1235524, ... ) }, 1235524, ... ) == 0x0
 03153   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03154   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03155   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03156   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03157   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03158   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03159   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03160   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03161   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03162   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03163   476   NtClose  (316, ... ) == 0x0
 03164   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03165   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03166   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1233804, ... ) }, 1233804, ... ) == 0x0
 03167   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03168   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03169   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03170   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03171   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03172   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03173   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03174   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03175   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03176   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03177   476   NtClose  (316, ... ) == 0x0
 03178   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03179   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03180   476   NtClose  (316, ... ) == 0x0
 03181   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03182   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03183   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1233804, ... ) }, 1233804, ... ) == 0x0
 03184   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03185   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03186   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03187   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03188   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03189   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03190   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03191   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03192   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03193   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03194   476   NtClose  (316, ... ) == 0x0
 03195   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03196   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03197   476   NtClose  (316, ... ) == 0x0
 03198   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03199   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03200   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 1233804, ... ) }, 1233804, ... ) == 0x0
 03201   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03202   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03203   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03204   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03205   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03206   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048766, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03207   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 190, 4096, 4, ... 11337728, 4096, ) == 0x0
 03208   476   NtReadFile  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186},  (316, 0, 0, 0, 186, 0x0, 2012046884, ... {status=0x0, info=186}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=39\15\12PersonalizedName=My Pictures\15\12[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\System32\mydocs.dll\15\12IconIndex=-101\15\12", ) , ) == 0x0
 03209   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03210   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03211   476   NtClose  (316, ... ) == 0x0
 03212   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03213   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03214   476   NtClose  (316, ... ) == 0x0
 03215   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03216   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03217   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03218   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03219   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03220   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03221   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03222   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03223   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 316, ) }, ... 316, ) == 0x0
 03224   476   NtQueryValueKey  (316,  (316, "ProgramFilesDir (x86)", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03225   476   NtClose  (316, ... ) == 0x0
 03226   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03227   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03228   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03229   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03230   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 316, ) }, ... 316, ) == 0x0
 03231   476   NtQueryValueKey  (316,  (316, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03232   476   NtClose  (316, ... ) == 0x0
 03233   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 03234   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 03235   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03236   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 03237   476   NtClose  (316, ... ) == 0x0
 03238   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 03239   476   NtClose  (312, ... ) == 0x0
 03240   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 03241   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03242   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03243   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 03244   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 03245   476   NtClose  (312, ... ) == 0x0
 03246   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03247   476   NtClose  (316, ... ) == 0x0
 03248   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03249   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238484, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238484, 616, BothDirectory, 1, "Program Files", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 03250   476   NtClose  (316, ... ) == 0x0
 03251   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03252   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03253   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1233856, ... ) }, 1233856, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03254   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03255   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03256   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03257   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03258   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1233828, ... ) }, 1233828, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03259   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03260   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03261   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03262   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03263   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1234192, ... ) }, 1234192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03264   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03265   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03266   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03267   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03268   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1234192, ... ) }, 1234192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03269   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03270   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03271   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03272   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03273   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Program Files\desktop.ini"}, 1234192, ... ) }, 1234192, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03274   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03275   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03276   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03277   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03278   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03279   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03280   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 03281   476   NtQueryValueKey  (316,  (316, "CommonPictures", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03282   476   NtClose  (316, ... ) == 0x0
 03283   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 03284   476   NtQueryValueKey  (316,  (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03285   476   NtClose  (316, ... ) == 0x0
 03286   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 316, ) }, ... 316, ) == 0x0
 03287   476   NtQueryValueKey  (316,  (316, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (316, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03288   476   NtClose  (316, ... ) == 0x0
 03289   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 03290   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 316, 2, ) }, 0, 0x0, 0, ... 316, 2, ) == 0x0
 03291   476   NtSetValueKey  (316,  (316, "CommonPictures", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0", 116, ... ) , 0, 1,  (316, "CommonPictures", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0P\0i\0c\0t\0u\0r\0e\0s\0\0\0", 116, ... ) , 116, ... ) == 0x0
 03292   476   NtClose  (316, ... ) == 0x0
 03293   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 03294   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 316, {status=0x0, info=1}, ) }, 5, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03295   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 316, ... 312, ) == 0x0
 03296   476   NtClose  (316, ... ) == 0x0
 03297   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 03298   476   NtClose  (312, ... ) == 0x0
 03299   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 03300   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03301   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03302   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 312, ) }, ... 312, ) == 0x0
 03303   476   NtOpenKey  (0x2000000, {24, 312, 0x40, 0, 0,  (0x2000000, {24, 312, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 316, ) }, ... 316, ) == 0x0
 03304   476   NtClose  (312, ... ) == 0x0
 03305   476   NtQueryValueKey  (316,  (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03306   476   NtClose  (316, ... ) == 0x0
 03307   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03308   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238400, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238400, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03309   476   NtClose  (316, ... ) == 0x0
 03310   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03311   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238284, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03312   476   NtClose  (316, ... ) == 0x0
 03313   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03314   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238188, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238188, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03315   476   NtClose  (316, ... ) == 0x0
 03316   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03317   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03318   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233560, ... ) }, 1233560, ... ) == 0x0
 03319   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03320   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03321   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03322   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03323   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03324   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03325   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03326   476   NtReadFile  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03327   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03328   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03329   476   NtClose  (316, ... ) == 0x0
 03330   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03331   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03332   476   NtClose  (316, ... ) == 0x0
 03333   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03334   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03335   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233532, ... ) }, 1233532, ... ) == 0x0
 03336   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03337   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03338   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03339   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03340   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03341   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03342   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03343   476   NtReadFile  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03344   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03345   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03346   476   NtClose  (316, ... ) == 0x0
 03347   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03348   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03349   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233896, ... ) }, 1233896, ... ) == 0x0
 03350   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03351   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03352   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03353   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03354   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03355   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03356   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03357   476   NtReadFile  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03358   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03359   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03360   476   NtClose  (316, ... ) == 0x0
 03361   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03362   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03363   476   NtClose  (316, ... ) == 0x0
 03364   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03365   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03366   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233896, ... ) }, 1233896, ... ) == 0x0
 03367   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03368   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03369   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03370   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03371   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03372   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03373   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03374   476   NtReadFile  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03375   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03376   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03377   476   NtClose  (316, ... ) == 0x0
 03378   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03379   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03380   476   NtClose  (316, ... ) == 0x0
 03381   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03382   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03383   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233896, ... ) }, 1233896, ... ) == 0x0
 03384   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03385   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03386   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03387   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03388   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03389   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03390   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03391   476   NtReadFile  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (316, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03392   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03393   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03394   476   NtClose  (316, ... ) == 0x0
 03395   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03396   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03397   476   NtClose  (316, ... ) == 0x0
 03398   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\"}, 3, 16417, ... 316, {status=0x0, info=1}, ) }, 3, 16417, ... 316, {status=0x0, info=1}, ) == 0x0
 03399   476   NtQueryDirectoryFile  (316, 0, 0, 0, 1238112, 616, BothDirectory, 1,  (316, 0, 0, 0, 1238112, 616, BothDirectory, 1, "My Pictures", 0, ... {status=0x0, info=116}, ) , 0, ... {status=0x0, info=116}, ) == 0x0
 03400   476   NtClose  (316, ... ) == 0x0
 03401   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03402   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03403   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 1233484, ... ) }, 1233484, ... ) == 0x0
 03404   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03405   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03406   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03407   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03408   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03409   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048730, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03410   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 154, 4096, 4, ... 11337728, 4096, ) == 0x0
 03411   476   NtReadFile  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150},  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\system32\mydocs.dll\15\12IconIndex=-101\15\12LocalizedResourceName=@shell32.dll,-28997\15\12", ) , ) == 0x0
 03412   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03413   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03414   476   NtClose  (316, ... ) == 0x0
 03415   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03416   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03417   476   NtClose  (316, ... ) == 0x0
 03418   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03419   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03420   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 1233456, ... ) }, 1233456, ... ) == 0x0
 03421   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03422   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03423   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03424   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03425   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03426   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048730, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03427   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 154, 4096, 4, ... 11337728, 4096, ) == 0x0
 03428   476   NtReadFile  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150},  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\system32\mydocs.dll\15\12IconIndex=-101\15\12LocalizedResourceName=@shell32.dll,-28997\15\12", ) , ) == 0x0
 03429   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03430   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03431   476   NtClose  (316, ... ) == 0x0
 03432   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03433   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03434   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 1233820, ... ) }, 1233820, ... ) == 0x0
 03435   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03436   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03437   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03438   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03439   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03440   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048730, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03441   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 154, 4096, 4, ... 11337728, 4096, ) == 0x0
 03442   476   NtReadFile  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150},  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\system32\mydocs.dll\15\12IconIndex=-101\15\12LocalizedResourceName=@shell32.dll,-28997\15\12", ) , ) == 0x0
 03443   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03444   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03445   476   NtClose  (316, ... ) == 0x0
 03446   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03447   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03448   476   NtClose  (316, ... ) == 0x0
 03449   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03450   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03451   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 1233820, ... ) }, 1233820, ... ) == 0x0
 03452   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03453   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03454   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03455   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03456   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03457   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048730, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03458   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 154, 4096, 4, ... 11337728, 4096, ) == 0x0
 03459   476   NtReadFile  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150},  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\system32\mydocs.dll\15\12IconIndex=-101\15\12LocalizedResourceName=@shell32.dll,-28997\15\12", ) , ) == 0x0
 03460   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03461   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03462   476   NtClose  (316, ... ) == 0x0
 03463   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03464   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03465   476   NtClose  (316, ... ) == 0x0
 03466   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03467   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03468   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 1233820, ... ) }, 1233820, ... ) == 0x0
 03469   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03470   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03471   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini"}, 7, 96, ... 316, {status=0x0, info=1}, ) }, 7, 96, ... 316, {status=0x0, info=1}, ) == 0x0
 03472   476   NtLockFile  (316, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03473   476   NtQueryInformationFile  (316, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03474   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048730, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03475   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 154, 4096, 4, ... 11337728, 4096, ) == 0x0
 03476   476   NtReadFile  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150},  (316, 0, 0, 0, 150, 0x0, 2012046884, ... {status=0x0, info=150}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12688\15\12IconFile=%SystemRoot%\system32\mydocs.dll\15\12IconIndex=-101\15\12LocalizedResourceName=@shell32.dll,-28997\15\12", ) , ) == 0x0
 03477   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03478   476   NtUnlockFile  (316, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03479   476   NtClose  (316, ... ) == 0x0
 03480   476   NtOpenProcessToken  (-1, 0x8, ... 316, ) == 0x0
 03481   476   NtQueryInformationToken  (316, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03482   476   NtClose  (316, ... ) == 0x0
 03483   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03484   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03485   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03486   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03487   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03488   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03489   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03490   476   NtAllocateVirtualMemory  (-1, 1441792, 0, 4096, 4096, 4, ... 1441792, 4096, ) == 0x0
 03491   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 03492   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03493   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\InProcServer32"}, ... 316, ) }, ... 316, ) == 0x0
 03494   476   NtQueryKey  (318, Name, 392, ... {Name= (318, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 03495   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03496   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 03497   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03498   476   NtClose  (312, ... ) == 0x0
 03499   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03500   476   NtQueryValueKey  (318, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (318, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 03501   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1236056, ... ) }, 1236056, ... ) == 0x0
 03502   476   NtClose  (318, ... ) == 0x0
 03503   476   NtReleaseSemaphore  (220, 1, ... 0, ) == 0x0
 03504   476   NtWaitForSingleObject  (220, 0, {0, 0}, ... ) == 0x0
 03505   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03506   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 316, ) }, ... 316, ) == 0x0
 03507   476   NtQueryValueKey  (316,  (316, "NoSharedDocuments", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03508   476   NtClose  (316, ... ) == 0x0
 03509   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03510   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 316, ) == 0x0
 03511   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03512   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03513   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237884,  (0xc0100080, {24, 0, 0x40, 0, 1237884, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 312, {status=0x0, info=1}, ) == 0x0
 03514   476   NtSetInformationFile  (312, 1237940, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03515   476   NtSetInformationFile  (312, 1237932, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03516   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03517   476   NtWriteFile  (312, 261, 0, 0,  (312, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03518   476   NtReadFile  (312, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (312, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 03519   476   NtFsControlFile  (312, 261, 0x0, 0x0, 0x11c017,  (312, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (312, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\210"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 03520   476   NtClose  (316, ... ) == 0x0
 03521   476   NtClose  (312, ... ) == 0x0
 03522   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03523   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03524   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03525   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03526   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 03527   476   NtQueryValueKey  (312,  (312, "CommonMusic", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03528   476   NtClose  (312, ... ) == 0x0
 03529   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 312, ) }, ... 312, ) == 0x0
 03530   476   NtQueryValueKey  (312,  (312, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (312, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03531   476   NtClose  (312, ... ) == 0x0
 03532   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 312, ) }, ... 312, ) == 0x0
 03533   476   NtQueryValueKey  (312,  (312, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03534   476   NtClose  (312, ... ) == 0x0
 03535   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music"}, 1240104, ... ) }, 1240104, ... ) == 0x0
 03536   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 03537   476   NtSetValueKey  (312,  (312, "CommonMusic", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0M\0u\0s\0i\0c\0\0\0", 110, ... ) , 0, 1,  (312, "CommonMusic", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\\0M\0y\0 \0M\0u\0s\0i\0c\0\0\0", 110, ... ) , 110, ... ) == 0x0
 03538   476   NtClose  (312, ... ) == 0x0
 03539   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238516, ... ) }, 1238516, ... ) == 0x0
 03540   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 312, {status=0x0, info=1}, ) }, 5, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03541   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 312, ... 316, ) == 0x0
 03542   476   NtClose  (312, ... ) == 0x0
 03543   476   NtMapViewOfSection  (316, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xad0000), 0x0, 262144, ) == 0x0
 03544   476   NtClose  (316, ... ) == 0x0
 03545   476   NtUnmapViewOfSection  (-1, 0xad0000, ... ) == 0x0
 03546   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03547   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03548   476   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 316, ) }, ... 316, ) == 0x0
 03549   476   NtOpenKey  (0x2000000, {24, 316, 0x40, 0, 0,  (0x2000000, {24, 316, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 312, ) }, ... 312, ) == 0x0
 03550   476   NtClose  (316, ... ) == 0x0
 03551   476   NtQueryValueKey  (312,  (312, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (312, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03552   476   NtClose  (312, ... ) == 0x0
 03553   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03554   476   NtQueryDirectoryFile  (312, 0, 0, 0, 1238408, 616, BothDirectory, 1,  (312, 0, 0, 0, 1238408, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03555   476   NtClose  (312, ... ) == 0x0
 03556   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03557   476   NtQueryDirectoryFile  (312, 0, 0, 0, 1238296, 616, BothDirectory, 1,  (312, 0, 0, 0, 1238296, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03558   476   NtClose  (312, ... ) == 0x0
 03559   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03560   476   NtQueryDirectoryFile  (312, 0, 0, 0, 1238204, 616, BothDirectory, 1,  (312, 0, 0, 0, 1238204, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 03561   476   NtClose  (312, ... ) == 0x0
 03562   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03563   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03564   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233576, ... ) }, 1233576, ... ) == 0x0
 03565   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03566   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03567   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03568   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03569   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03570   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03571   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03572   476   NtReadFile  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03573   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03574   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03575   476   NtClose  (312, ... ) == 0x0
 03576   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03577   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03578   476   NtClose  (312, ... ) == 0x0
 03579   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03580   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03581   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233548, ... ) }, 1233548, ... ) == 0x0
 03582   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03583   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03584   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03585   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03586   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03587   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03588   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03589   476   NtReadFile  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03590   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03591   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03592   476   NtClose  (312, ... ) == 0x0
 03593   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03594   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03595   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233912, ... ) }, 1233912, ... ) == 0x0
 03596   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03597   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03598   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03599   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03600   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03601   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03602   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03603   476   NtReadFile  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03604   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03605   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03606   476   NtClose  (312, ... ) == 0x0
 03607   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03608   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03609   476   NtClose  (312, ... ) == 0x0
 03610   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03611   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03612   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233912, ... ) }, 1233912, ... ) == 0x0
 03613   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03614   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03615   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03616   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03617   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03618   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03619   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03620   476   NtReadFile  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03621   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03622   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03623   476   NtClose  (312, ... ) == 0x0
 03624   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03625   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03626   476   NtClose  (312, ... ) == 0x0
 03627   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03628   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03629   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1233912, ... ) }, 1233912, ... ) == 0x0
 03630   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03631   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03632   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03633   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03634   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03635   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03636   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 142, 4096, 4, ... 11337728, 4096, ) == 0x0
 03637   476   NtReadFile  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (312, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 03638   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03639   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03640   476   NtClose  (312, ... ) == 0x0
 03641   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03642   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03643   476   NtClose  (312, ... ) == 0x0
 03644   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\"}, 3, 16417, ... 312, {status=0x0, info=1}, ) }, 3, 16417, ... 312, {status=0x0, info=1}, ) == 0x0
 03645   476   NtQueryDirectoryFile  (312, 0, 0, 0, 1238132, 616, BothDirectory, 1,  (312, 0, 0, 0, 1238132, 616, BothDirectory, 1, "My Music", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 03646   476   NtClose  (312, ... ) == 0x0
 03647   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03648   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03649   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 1233504, ... ) }, 1233504, ... ) == 0x0
 03650   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03651   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03652   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03653   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03654   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03655   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048731, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03656   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 155, 4096, 4, ... 11337728, 4096, ) == 0x0
 03657   476   NtReadFile  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151},  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12689\15\12IconFile=%SystemRoot%\system32\SHELL32.dll\15\12IconIndex=-237\15\12LocalizedResourceName=@shell32.dll,-28995\15\12", ) , ) == 0x0
 03658   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03659   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03660   476   NtClose  (312, ... ) == 0x0
 03661   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03662   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03663   476   NtClose  (312, ... ) == 0x0
 03664   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03665   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03666   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 1233476, ... ) }, 1233476, ... ) == 0x0
 03667   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03668   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03669   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03670   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03671   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03672   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048731, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03673   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 155, 4096, 4, ... 11337728, 4096, ) == 0x0
 03674   476   NtReadFile  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151},  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12689\15\12IconFile=%SystemRoot%\system32\SHELL32.dll\15\12IconIndex=-237\15\12LocalizedResourceName=@shell32.dll,-28995\15\12", ) , ) == 0x0
 03675   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03676   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03677   476   NtClose  (312, ... ) == 0x0
 03678   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03679   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03680   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 1233840, ... ) }, 1233840, ... ) == 0x0
 03681   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03682   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03683   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03684   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03685   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03686   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048731, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03687   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 155, 4096, 4, ... 11337728, 4096, ) == 0x0
 03688   476   NtReadFile  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151},  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12689\15\12IconFile=%SystemRoot%\system32\SHELL32.dll\15\12IconIndex=-237\15\12LocalizedResourceName=@shell32.dll,-28995\15\12", ) , ) == 0x0
 03689   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03690   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03691   476   NtClose  (312, ... ) == 0x0
 03692   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03693   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03694   476   NtClose  (312, ... ) == 0x0
 03695   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03696   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03697   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 1233840, ... ) }, 1233840, ... ) == 0x0
 03698   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03699   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03700   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03701   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03702   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03703   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048731, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03704   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 155, 4096, 4, ... 11337728, 4096, ) == 0x0
 03705   476   NtReadFile  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151},  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12689\15\12IconFile=%SystemRoot%\system32\SHELL32.dll\15\12IconIndex=-237\15\12LocalizedResourceName=@shell32.dll,-28995\15\12", ) , ) == 0x0
 03706   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03707   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03708   476   NtClose  (312, ... ) == 0x0
 03709   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03710   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03711   476   NtClose  (312, ... ) == 0x0
 03712   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03713   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03714   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 1233840, ... ) }, 1233840, ... ) == 0x0
 03715   476   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03716   476   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03717   476   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Music\desktop.ini"}, 7, 96, ... 312, {status=0x0, info=1}, ) }, 7, 96, ... 312, {status=0x0, info=1}, ) == 0x0
 03718   476   NtLockFile  (312, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 03719   476   NtQueryInformationFile  (312, 1420000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03720   476   NtAllocateVirtualMemory  (-1, 0, 0, 1048731, 8192, 4, ... 11337728, 1052672, ) == 0x0
 03721   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 155, 4096, 4, ... 11337728, 4096, ) == 0x0
 03722   476   NtReadFile  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151},  (312, 0, 0, 0, 151, 0x0, 2012046884, ... {status=0x0, info=151}, "[.ShellClassInfo]\15\12InfoTip=@Shell32.dll,-12689\15\12IconFile=%SystemRoot%\system32\SHELL32.dll\15\12IconIndex=-237\15\12LocalizedResourceName=@shell32.dll,-28995\15\12", ) , ) == 0x0
 03723   476   NtFreeVirtualMemory  (-1, (0xad0000), 1052672, 32768, ... (0xad0000), 1052672, ) == 0x0
 03724   476   NtUnlockFile  (312, {0, 0}, {-1, -1}, 476, ... ) == STATUS_RANGE_NOT_LOCKED
 03725   476   NtClose  (312, ... ) == 0x0
 03726   476   NtOpenProcessToken  (-1, 0x8, ... 312, ) == 0x0
 03727   476   NtQueryInformationToken  (312, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 03728   476   NtClose  (312, ... ) == 0x0
 03729   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03730   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03731   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03732   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03733   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03734   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03735   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03736   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03737   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03738   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 03739   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 03740   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 03741   476   NtQueryValueKey  (312,  (312, "CommonVideo", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03742   476   NtClose  (312, ... ) == 0x0
 03743   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 312, ) }, ... 312, ) == 0x0
 03744   476   NtQueryValueKey  (312,  (312, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (312, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03745   476   NtClose  (312, ... ) == 0x0
 03746   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 312, ) }, ... 312, ) == 0x0
 03747   476   NtQueryValueKey  (312,  (312, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (312, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03748   476   NtClose  (312, ... ) == 0x0
 03749   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\My Videos"}, 1240104, ... ) }, 1240104, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03750   476   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 312, 2, ) }, 0, 0x0, 0, ... 312, 2, ) == 0x0
 03751   476   NtSetValueKey  (312,  (312, "CommonVideo", 0, 1, "\0\0", 2, ... ) , 0, 1,  (312, "CommonVideo", 0, 1, "\0\0", 2, ... ) , 2, ... ) == 0x0
 03752   476   NtClose  (312, ... ) == 0x0
 03753   476   NtWriteFile  (308, 0, 0, 0,  (308, 0, 0, 0, "L\0\0\0\1\24\2\0\0\0\0\0\300\0\0\0\0\0\0F\217\0\0\0 \0\0\0\300x\317Aw\331\307\1\0X\34\222\300\330\307\1\0\207iOw\331\307\1\0\0\1\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\07\1\24\0\37P\340O\320 \352:i\20\242\330\10\0+00\235\31\0/C:\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0J\01\0\0\0\0\006\31\211\21\0PROGRA~1\0\02\0\3\0\4\0\357\27606\342\0w6\08\24\0\0\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0\30\0H\01\0\0\0\0\006\342\0\20\0COMMON~1\0\00\0\3\0\4\0\357\27606\342\0/6\08\24\0\0\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0\30\0:\01\0\0\0\0\0\107\366%\22\0delsim\0\0$\0\3\0\4\0\357\276\107\366%\77\08\24\0\0\0d\0e\0l\0s\0i\0m\0\0\0\26\0<\02\0\0\0\1\0\107\3& \0del.exe\0&\0\3\0\4\0\357\276\107\366%\77\08\24\0\0\0d\0e\0l\0.\0e\0x\0e\0\0\0\26\0\0\0[\0\0\0\34\0\0\0\1\0\0\0\34\0\0\0-\0\0\0\0\0\0\0Z\0\0\0\21\0\0\0\3\0\0\0\350\35\361<\20\0\0\0\0C:\Program Files\Common Files\delsim\del.exe\0\0\17\0I\0n\0t\0e\0r\0n\0e\0t\0 \0", 634, 0x0, 0, ... {status=0x0, info=634}, ) , 634, 0x0, 0, ... {status=0x0, info=634}, ) == 0x0
 03754   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES"}, 138, ) }, 138, ) == 0x0
 03755   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03756   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 312, ) }, ... 312, ) == 0x0
 03757   476   NtQueryKey  (314, Name, 392, ... {Name= (314, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03758   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03759   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 03760   476   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03761   476   NtClose  (316, ... ) == 0x0
 03762   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03763   476   NtEnumerateKey  (314, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (314, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03764   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03765   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03766   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 316, ) }, ... 316, ) == 0x0
 03767   476   NtQueryKey  (318, Name, 392, ... {Name= (318, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03768   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03769   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 320, ) == 0x0
 03770   476   NtQueryInformationToken  (320, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03771   476   NtClose  (320, ... ) == 0x0
 03772   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03773   476   NtQueryValueKey  (318,  (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03774   476   NtClose  (318, ... ) == 0x0
 03775   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03776   476   NtEnumerateKey  (314, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03777   476   NtClose  (314, ... ) == 0x0
 03778   476   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 03779   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 03780   476   NtCreateSection  (0xf0007, 0x0, {396, 0}, 4, 134217728, 0, ... 312, ) == 0x0
 03781   476   NtMapViewOfSection  (312, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03782   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 316, ) == 0x0
 03783   476   NtDuplicateObject  (-1, 312, 316, 0xf001f, 0, 2, ... 924, ) == 0x0
 03784   476   NtClose  (316, ... ) == 0x0
 03785   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03786   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03787   476   NtClose  (312, ... ) == 0x0
 03788   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 312, ) == 0x0
 03789   476   NtDuplicateObject  (312, 924, -1, 0xf001f, 0, 2, ... 316, ) == 0x0
 03790   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03791   476   NtClose  (312, ... ) == 0x0
 03792   476   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03793   476   NtClose  (316, ... ) == 0x0
 03794   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03795   476   NtUserMessageCall  (0x1006c, WM_USER+0x3, 0x39c, 0x774, 0, 695, 0, ... ) == 0x1
 03796   476   NtClose  (308, ... ) == 0x0
 03797   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03798   476   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03799   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 308, ) }, ... 308, ) == 0x0
 03800   476   NtQueryKey  (310, Name, 392, ... {Name= (310, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 03801   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03802   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 316, ) == 0x0
 03803   476   NtQueryInformationToken  (316, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03804   476   NtClose  (316, ... ) == 0x0
 03805   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03806   476   NtEnumerateKey  (310, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (310, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 03807   476   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03808   476   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03809   476   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 316, ) }, ... 316, ) == 0x0
 03810   476   NtQueryKey  (318, Name, 392, ... {Name= (318, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 03811   476   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03812   476   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 312, ) == 0x0
 03813   476   NtQueryInformationToken  (312, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03814   476   NtClose  (312, ... ) == 0x0
 03815   476   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03816   476   NtQueryValueKey  (318,  (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (318, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 03817   476   NtClose  (318, ... ) == 0x0
 03818   476   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 03819   476   NtEnumerateKey  (310, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03820   476   NtClose  (310, ... ) == 0x0
 03821   476   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 03822   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 03823   476   NtCreateSection  (0xf0007, 0x0, {396, 0}, 4, 134217728, 0, ... 308, ) == 0x0
 03824   476   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03825   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 316, ) == 0x0
 03826   476   NtDuplicateObject  (-1, 308, 316, 0xf001f, 0, 2, ... 924, ) == 0x0
 03827   476   NtClose  (316, ... ) == 0x0
 03828   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03829   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03830   476   NtClose  (308, ... ) == 0x0
 03831   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 308, ) == 0x0
 03832   476   NtDuplicateObject  (308, 924, -1, 0xf001f, 0, 2, ... 316, ) == 0x0
 03833   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03834   476   NtClose  (308, ... ) == 0x0
 03835   476   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03836   476   NtClose  (316, ... ) == 0x0
 03837   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03838   476   NtUserMessageCall  (0x1006c, WM_USER+0x3, 0x39c, 0x774, 0, 695, 0, ... ) == 0x1
 03839   476   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 03840   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 03841   476   NtCreateSection  (0xf0007, 0x0, {56, 0}, 4, 134217728, 0, ... 316, ) == 0x0
 03842   476   NtMapViewOfSection  (316, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03843   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 308, ) == 0x0
 03844   476   NtDuplicateObject  (-1, 316, 308, 0xf001f, 0, 2, ... 924, ) == 0x0
 03845   476   NtClose  (308, ... ) == 0x0
 03846   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03847   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03848   476   NtClose  (316, ... ) == 0x0
 03849   476   NtOpenProcess  (0x40, {24, 0, 0x0, 0, 0, 0x0}, {1908, 0}, ... 316, ) == 0x0
 03850   476   NtDuplicateObject  (316, 924, -1, 0xf001f, 0, 2, ... 308, ) == 0x0
 03851   476   NtClose  (-1, ... ) == STATUS_INVALID_HANDLE
 03852   476   NtClose  (316, ... ) == 0x0
 03853   476   NtMapViewOfSection  (308, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 03854   476   NtClose  (308, ... ) == 0x0
 03855   476   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 03856   476   NtUserMessageCall  (0x1006c, WM_USER+0x3, 0x39c, 0x774, 0, 695, 0, ... ) == 0x1
 03857   476   NtClose  (216, ... ) == 0x0
 03858   476   NtQueryDefaultLocale  (1, 1242240, ... ) == 0x0
 03859   476   NtQueryDefaultLocale  (1, 1241632, ... ) == 0x0
 03860   476   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Delsim\Connection\del"}, 0, 0x0, 0, ... ) }, 0, 0x0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03861   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software"}, 0, 0x0, 0, ... 216, 2, ) }, 0, 0x0, 0, ... 216, 2, ) == 0x0
 03862   476   NtCreateKey  (0x2000000, {24, 216, 0x40, 0, 0,  (0x2000000, {24, 216, 0x40, 0, 0, "Delsim"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03863   476   NtSetInformationFile  (-2147482732, -136215516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03864   476   NtSetInformationFile  (-2147482732, -136215988, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03865   476   NtSetInformationFile  (-2147482732, -136215804, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03866   476   NtSetInformationFile  (-2147482732, -136215612, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03862   476   NtCreateKey  ... 308, 1, ) == 0x0
 03867   476   NtClose  (216, ... ) == 0x0
 03868   476   NtCreateKey  (0x2000000, {24, 308, 0x40, 0, 0,  (0x2000000, {24, 308, 0x40, 0, 0, "Connection"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03869   476   NtSetInformationFile  (-2147482732, -136215884, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03868   476   NtCreateKey  ... 216, 1, ) == 0x0
 03870   476   NtClose  (308, ... ) == 0x0
 03871   476   NtCreateKey  (0xf003f, {24, 216, 0x40, 0, 0,  (0xf003f, {24, 216, 0x40, 0, 0, "del"}, 0, 0x0, 0, ... 308, 1, ) }, 0, 0x0, 0, ... 308, 1, ) == 0x0
 03872   476   NtClose  (216, ... ) == 0x0
 03873   476   NtSetValueKey  (308,  (308, "uninstExe", 0, 1, "C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0d\0e\0l\0s\0i\0m\0\\0d\0e\0l\0.\0e\0x\0e\0\0\0", 90, ... ) , 0, 1,  (308, "uninstExe", 0, 1, "C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0d\0e\0l\0s\0i\0m\0\\0d\0e\0l\0.\0e\0x\0e\0\0\0", 90, ... ) , 90, ... ) == 0x0
 03874   476   NtSetValueKey  (308,  (308, "uninstShortcut", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0d\0e\0l\0.\0l\0n\0k\0\0\0", 110, ... ) , 0, 1,  (308, "uninstShortcut", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\0d\0e\0l\0.\0l\0n\0k\0\0\0", 110, ... ) , 110, ... ) == 0x0
 03875   476   NtClose  (308, ... ) == 0x0
 03876   476   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\delsim"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 03877   476   NtSetInformationFile  (-2147482808, -136215516, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03878   476   NtSetInformationFile  (-2147482808, -136215988, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03879   476   NtSetInformationFile  (-2147482808, -136215612, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03876   476   NtCreateKey  ... 308, 1, ) == 0x0
 03880   476   NtSetValueKey  (308,  (308, "DisplayName", 0, 1, "D\0e\0l\0s\0i\0m\0 \0D\0i\0a\0l\0e\0r\0\0\0", 28, ... ) , 0, 1,  (308, "DisplayName", 0, 1, "D\0e\0l\0s\0i\0m\0 \0D\0i\0a\0l\0e\0r\0\0\0", 28, ... ) , 28, ... ) == 0x0
 03881   476   NtSetValueKey  (308,  (308, "UninstallString", 0, 1, "C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0d\0e\0l\0s\0i\0m\0\\0d\0e\0l\0.\0e\0x\0e\0 \0-\0u\0\0\0", 96, ... ) , 0, 1,  (308, "UninstallString", 0, 1, "C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\\0d\0e\0l\0s\0i\0m\0\\0d\0e\0l\0.\0e\0x\0e\0 \0-\0u\0\0\0", 96, ... ) , 96, ... ) == 0x0
 03882   476   NtClose  (308, ... ) == 0x0
 03883   476   NtUserQueryWindow  (65644, 0, ... ) == 0x774
 03884   476   NtUserQueryWindow  (65644, 1, ... ) == 0x7c0
 03885   476   NtQueryDefaultLocale  (1, 1244140, ... ) == 0x0
 03886   476   NtGdiCreateCompatibleDC  (0, ... ) == 0x1010458
 03887   476   NtGdiGetTextCharsetInfo  (16843864, 0, 0, ... ) == 0x0
 03888   476   NtGdiHfontCreate  (1243468, 356, 0, 0, 1373800, ... ) == 0x10a0459
 03889   476   NtGdiGetTextMetricsW  (16843864, 1243776, 68, ...
 03890   476   NtQueryInformationFile  (308, -136215168, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03891   476   NtQueryInformationFile  (308, -136215248, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 03892   476   NtQueryVolumeInformationFile  (308, -136215784, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 03893   476   NtClose  (308, ... ) == 0x0
 03889   476   NtGdiGetTextMetricsW  ... ) == 0x1
 03894   476   NtGdiGetTextFaceW  (16843864, 32, 1243912, 1, ... ) == 0xe
 03895   476   NtGdiGetWidthTable  (16843864, 52, 1444040, 308, 1444656, 1419960, 1419976, ... ) == 0x1
 03896   476   NtGdiDeleteObjectApp  (16843864, ... ) == 0x1
 03897   476   NtUserGetAtomName  (32770, 1242912, ... ) == 0x6
 03898   476   NtUserCreateWindowEx  (-2147417343, 32770, 32770, "", -2134238524, 350, 257, 324, 255, 65556, 0, 4194304, 0, 1073742848, 0, ...
 03899   476   NtUserSetWindowFNID  (65762, 676, ... ) == 0x1
 03900   476   NtUserCallHwndParam  (65762, 1374956, 78, ... ) == 0x14faec
 03901   476   NtUserMessageCall  (0x100e2, WM_NCCREATE, 0x0, 0x12f6c4, 0, 670, 1, ... ) == 0x1
 03902   476   NtUserMessageCall  (0x100e2, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 03903   476   NtUserGetClassName  (65762, 0, 1242056, ... ) == 0x6
 03904   476   NtUserRemoveProp  (65762, 43282, ... ) == 0x0
 03905   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 2012561701, 4194304, 1, 2}  (24, {24, 52, new_msg, 0, 2012561701, 4194304, 1, 2} "\0\0\0\0\5\4\3\0z\0\0\0\0\0@\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1579, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0@\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1579, 0}  (24, {24, 52, new_msg, 0, 2012561701, 4194304, 1, 2} "\0\0\0\0\5\4\3\0z\0\0\0\0\0@\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1579, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0@\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 03906   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 03907   476   NtUserGetObjectInformation  (44, 2, 1241732, 520, 0, ... ) == 0x1
 03908   476   NtGdiDeleteObjectApp  (17826903, ... ) == 0x1
 03909   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03910   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03911   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03912   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03913   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03914   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03915   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03916   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03917   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03918   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03919   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03920   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03921   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03922   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03923   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03924   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03925   476   NtUserGetWindowDC  (0, ... ) == 0x1010050
 03926   476   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x2100457
 03927   476   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 03928   476   NtUserSetProp  (65762, 43288, 8680288, ... ) == 0x1
 03898   476   NtUserCreateWindowEx  ... ) == 0x100e2
 03929   476   NtUserGetSystemMenu  (65762, 0, ...
 03930   476   NtQueryDefaultLocale  (1, 1243812, ... ) == 0x0
 03931   476   NtUserCallNoParam  (0, ... ) == 0x100af
 03932   476   NtUserCallNoParam  (0, ... ) == 0x100b1
 03933   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ...
 03934   476   NtAllocateVirtualMemory  (-1, 5558272, 0, 4096, 4096, 32, ... 5558272, 4096, ) == 0x0
 03933   476   NtUserThunkedMenuItemInfo  ... ) == 0x1
 03935   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ... ) == 0x1
 03936   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ... ) == 0x1
 03937   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ... ) == 0x1
 03938   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ... ) == 0x1
 03939   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 0, ... ) == 0x1
 03940   476   NtUserThunkedMenuItemInfo  (65713, -1, 1, 1, 1243852, 1243900, ... ) == 0x1
 03941   476   NtUserThunkedMenuItemInfo  (65711, -1, 1, 1, 1243948, 1243996, ... ) == 0x1
 03929   476   NtUserGetSystemMenu  ... ) == 0x100b1
 03942   476   NtFlushInstructionCache  (-1, 9314304, 13, ... ) == 0x0
 03943   476   NtUserGetAtomName  (49175, 1242912, ... ) == 0x6
 03944   476   NtUserCreateWindowEx  (-2147483644, 49175, 49175,  (-2147483644, 49175, 49175, "&Connect", 1476460545, 233, 185, 75, 23, 65762, 1, 4194304, 0, 1073742848, 0, ... , 1476460545, 233, 185, 75, 23, 65762, 1, 4194304, 0, 1073742848, 0, ...
 03945   476   NtUserSetWindowFNID  (65764, 673, ... ) == 0x1
 03946   476   NtUserSetWindowLong  (65764, 0, 1423780, 0, ... ) == 0x0
 03947   476   NtUserMessageCall  (0x100e4, WM_NCCREATE, 0x0, 0x12f6b4, 0, 670, 1, ... ) == 0x1
 03948   476   NtUserMessageCall  (0x100e4, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 03949   476   NtUserSetProp  (65764, 43288, -1, ... ) == 0x1
 03944   476   NtUserCreateWindowEx  ... ) == 0x100e4
 03950   476   NtUserGetAtomName  (49180, 1242912, ... ) == 0x8
 03951   476   NtUserCreateWindowEx  (-2147483132, 49180, 49180, "", 1478557955, 74, 93, 234, 125, 65762, 201, 4194304, 0, 1073742848, 0, ...
 03952   476   NtUserSetWindowFNID  (65766, 674, ... ) == 0x1
 03953   476   NtUserSetWindowLong  (65766, 0, 1445100, 0, ... ) == 0x0
 03954   476   NtUserCallHwndParam  (65766, 3330, 81, ... ) == 0xbc64d4e9
 03955   476   NtUserCallHwndParam  (65766, 3760, 76, ... ) == 0xbc64d4ea
 03956   476   NtUserCallHwndParam  (65766, 2307, 76, ... ) == 0xbc64d4e5
 03957   476   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 03958   476   NtUserSetProp  (65766, 43288, -1, ... ) == 0x1
 03959   476   NtUserGetDC  (65766, ... ) == 0x1010053
 03960   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 03961   476   NtUserCreateWindowEx  (128, 49182, 49182, 0x0, 1554022467, 0, 24, 234, 101, 65766, 1000, 4194304, 0, 1024, 0, ...
 03962   476   NtUserSetWindowFNID  (65768, 678, ... ) == 0x1
 03963   476   NtUserSetWindowLong  (65768, 0, 1408104, 0, ... ) == 0x0
 03964   476   NtUserMessageCall  (0x100e8, WM_NCCREATE, 0x0, 0x12eee4, 0, 670, 0, ... ) == 0x1
 03965   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x0, 0x12ef0c, 0, 670, 0, ... ) == 0x0
 03966   476   NtUserGetClassName  (65766, 0, 1239776, ... ) == 0x8
 03967   476   NtUserGetClassName  (65768, 0, 1240044, ... ) == 0x9
 03968   476   NtUserRemoveProp  (65768, 43282, ... ) == 0x0
 03969   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 1127153689, 45, 360, 0}  (24, {24, 52, new_msg, 0, 1127153689, 45, 360, 0} "\0\0\0\0\5\4\3\00\353\22\0\0\0\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1580, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1580, 0}  (24, {24, 52, new_msg, 0, 1127153689, 45, 360, 0} "\0\0\0\0\5\4\3\00\353\22\0\0\0\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1580, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\0\0\0\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 03970   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 03971   476   NtUserGetObjectInformation  (44, 2, 1239716, 520, 0, ... ) == 0x1
 03972   476   NtUserSetProp  (65768, 43288, 8681440, ... ) == 0x1
 03973   476   NtUserGetDC  (65768, ... ) == 0x1010051
 03974   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 03975   476   NtUserPostMessage  (65768, 5, 0, 0, ... ) == 0x1
 03976   476   NtUserSetWindowPos  (65768, 0, 0, 0, 234, 98, 22, ...
 03977   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12ece8, 0, 670, 0, ... ) == 0x0
 03978   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12ecbc, 0, 670, 0, ... ) == 0x0
 03979   476   NtUserSetScrollInfo  (65768, 1, 1239072, 0, ...
 03980   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12e724, 0, 670, 0, ... ) == 0x0
 03981   476   NtUserSetScrollInfo  (65768, 1, 1237640, 0, ... ) == 0x0
 03982   476   NtUserSBGetParms  (65768, 1, 5559892, 1237504, ... ) == 0x1
 03983   476   NtUserSetProp  (65768, 43285, 8682592, ... ) == 0x1
 03984   476   NtUserRemoveProp  (65768, 43282, ... ) == 0x0
 03985   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 0, 4, 4, 32}  (24, {24, 52, new_msg, 0, 0, 4, 4, 32} "\0\0\0\0\5\4\3\0<\343\22\0<\343\22\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1581, 0} "\0\0\0\0\5\4\3\0\0\0\0\0<\343\22\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1581, 0}  (24, {24, 52, new_msg, 0, 0, 4, 4, 32} "\0\0\0\0\5\4\3\0<\343\22\0<\343\22\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1581, 0} "\0\0\0\0\5\4\3\0\0\0\0\0<\343\22\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 03986   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 03987   476   NtUserGetObjectInformation  (44, 2, 1236724, 520, 0, ... ) == 0x1
 03988   476   NtUserSBGetParms  (65768, 1, 5559892, 1237396, ... ) == 0x1
 03989   476   NtUserSetWindowLong  (65768, -16, 1283489859, 0, ... ) == 0x4c808043
 03990   476   NtUserSBGetParms  (65768, 0, 5559876, 1237396, ... ) == 0x1
 03991   476   NtUserGetScrollBarInfo  (65768, -6, 1237260, ... ) == 0x1
 03992   476   NtUserGetWindowDC  (65768, ... ) == 0x1010051
 03993   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 03994   476   NtUserSetWindowLong  (65768, -16, 1283489859, 0, ... ) == 0x4c808043
 03995   476   NtUserRemoveProp  (65768, 43285, ... ) == 0x847c60
 03979   476   NtUserSetScrollInfo  ... ) == 0x0
 03996   476   NtUserSBGetParms  (65768, 1, 5559892, 1238936, ... ) == 0x1
 03997   476   NtUserSetProp  (65768, 43285, 8682592, ... ) == 0x1
 03998   476   NtUserRemoveProp  (65768, 43282, ... ) == 0x0
 03999   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 0, 0, 1238012, 0}  (24, {24, 52, new_msg, 0, 0, 0, 1238012, 0} "\0\0\0\0\5\4\3\0 \267\325w\377\377\377\377\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1582, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\377\377\377\377\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1582, 0}  (24, {24, 52, new_msg, 0, 0, 0, 1238012, 0} "\0\0\0\0\5\4\3\0 \267\325w\377\377\377\377\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1582, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\377\377\377\377\334\1\0\0\0\0\0\0" )  ) == 0x0
 04000   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04001   476   NtUserGetObjectInformation  (44, 2, 1238156, 520, 0, ... ) == 0x1
 04002   476   NtUserSBGetParms  (65768, 1, 5559892, 1238828, ... ) == 0x1
 04003   476   NtUserSetWindowLong  (65768, -16, 1283489859, 0, ... ) == 0x4c808043
 04004   476   NtUserSBGetParms  (65768, 0, 5559876, 1238828, ... ) == 0x1
 04005   476   NtUserGetScrollBarInfo  (65768, -6, 1238692, ... ) == 0x1
 04006   476   NtUserGetWindowDC  (65768, ... ) == 0x1010051
 04007   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 04008   476   NtUserSetWindowLong  (65768, -16, 1283489859, 0, ... ) == 0x4c808043
 04009   476   NtUserRemoveProp  (65768, 43285, ... ) == 0x847c60
 04010   476   NtUserGetWindowDC  (65768, ... ) == 0x1010051
 04011   476   NtUserSetProp  (65768, 43285, 8682592, ... ) == 0x1
 04012   476   NtUserRemoveProp  (65768, 43282, ... ) == 0x0
 04013   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 8682424, 8681476, 8681440, 60}  (24, {24, 52, new_msg, 0, 8682424, 8681476, 8681440, 60} "\0\0\0\0\5\4\3\0\227\2\0\0\367\1\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1583, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\367\1\0\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1583, 0}  (24, {24, 52, new_msg, 0, 8682424, 8681476, 8681440, 60} "\0\0\0\0\5\4\3\0\227\2\0\0\367\1\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1583, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\367\1\0\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 04014   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04015   476   NtUserGetObjectInformation  (44, 2, 1237992, 520, 0, ... ) == 0x1
 04016   476   NtUserSBGetParms  (65768, 1, 5559892, 1238664, ... ) == 0x1
 04017   476   NtUserSetWindowLong  (65768, -16, 1283489859, 0, ... ) == 0x4c808043
 04018   476   NtUserSBGetParms  (65768, 0, 5559876, 1238664, ... ) == 0x1
 04019   476   NtUserGetScrollBarInfo  (65768, -6, 1238528, ... ) == 0x1
 04020   476   NtUserGetWindowDC  (65768, ... ) == 0x1010052
 04021   476   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 04022   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 03976   476   NtUserSetWindowPos  ... ) == 0x1
 03961   476   NtUserCreateWindowEx  ... ) == 0x100e8
 04023   476   NtUserShowWindow  (65768, 0, ... ) == 0x10
 04024   476   NtUserSetParent  (65768, 0, ... ) == 0x100e6
 04025   476   NtUserShowWindow  (65768, 0, ... ) == 0x0
 04026   476   NtUserInvalidateRect  (65766, 1445108, 1, ... ) == 0x1
 04027   476   NtUserSetWindowPos  (65766, 0, 0, 0, 234, 24, 22, ...
 04028   476   NtUserMessageCall  (0x100e6, WM_WINDOWPOSCHANGING, 0x0, 0x12f450, 0, 670, 1, ... ) == 0x0
 04029   476   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x1, 0x12f424, 0, 670, 1, ... ) == 0x0
 04027   476   NtUserSetWindowPos  ... ) == 0x1
 04030   476   NtUserMoveWindow  (65768, 0, 24, 234, 101, 0, ...
 04031   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12f474, 0, 670, 0, ... ) == 0x0
 04032   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12f448, 0, 670, 0, ... ) == 0x0
 04033   476   NtUserSetWindowPos  (65768, 0, 0, 0, 234, 98, 22, ...
 04034   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12efdc, 0, 670, 0, ... ) == 0x0
 04035   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12efb0, 0, 670, 0, ... ) == 0x0
 04033   476   NtUserSetWindowPos  ... ) == 0x1
 04030   476   NtUserMoveWindow  ... ) == 0x1
 03951   476   NtUserCreateWindowEx  ... ) == 0x100e6
 04036   476   NtUserGetDC  (65768, ... ) == 0x1010052
 04037   476   NtUserSetWindowPos  (65768, 0, 0, 0, 234, 93, 22, ...
 04038   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12f860, 0, 670, 0, ... ) == 0x0
 04039   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12f834, 0, 670, 0, ... ) == 0x0
 04040   476   NtUserSetScrollInfo  (65768, 1, 1242008, 0, ... ) == 0x0
 04041   476   NtUserSBGetParms  (65768, 1, 5559892, 1241872, ... ) == 0x1
 04042   476   NtUserGetScrollBarInfo  (65768, -5, 1241736, ... ) == 0x1
 04043   476   NtUserGetWindowDC  (65768, ... ) == 0x1010051
 04044   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 04037   476   NtUserSetWindowPos  ... ) == 0x1
 04045   476   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 04046   476   NtUserGetDC  (65766, ... ) == 0x1010053
 04047   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04048   476   NtUserShowWindow  (65768, 0, ... ) == 0x0
 04049   476   NtUserInvalidateRect  (65766, 1445108, 1, ... ) == 0x1
 04050   476   NtUserSetWindowPos  (65766, 0, 0, 0, 234, 21, 22, ...
 04051   476   NtUserMessageCall  (0x100e6, WM_WINDOWPOSCHANGING, 0x0, 0x12f9d0, 0, 670, 1, ... ) == 0x0
 04052   476   NtUserMessageCall  (0x100e6, WM_NCCALCSIZE, 0x1, 0x12f9a4, 0, 670, 1, ... ) == 0x0
 04050   476   NtUserSetWindowPos  ... ) == 0x1
 04053   476   NtUserMoveWindow  (65768, 0, 21, 234, 101, 0, ...
 04054   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12f9f4, 0, 670, 0, ... ) == 0x0
 04055   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12f9c8, 0, 670, 0, ... ) == 0x0
 04056   476   NtUserSetWindowPos  (65768, 0, 0, 0, 234, 93, 22, ...
 04057   476   NtUserMessageCall  (0x100e8, WM_WINDOWPOSCHANGING, 0x0, 0x12f55c, 0, 670, 0, ... ) == 0x0
 04058   476   NtUserMessageCall  (0x100e8, WM_NCCALCSIZE, 0x1, 0x12f530, 0, 670, 0, ... ) == 0x0
 04056   476   NtUserSetWindowPos  ... ) == 0x1
 04053   476   NtUserMoveWindow  ... ) == 0x1
 04059   476   NtUserGetAtomName  (49177, 1242912, ... ) == 0x6
 04060   476   NtUserCreateWindowEx  (-2147483644, 49177, 49177,  (-2147483644, 49177, 49177, "Modem", 1342308352, 8, 98, 60, 15, 65762, 202, 4194304, 0, 1073742848, 0, ... , 1342308352, 8, 98, 60, 15, 65762, 202, 4194304, 0, 1073742848, 0, ...
 04061   476   NtUserSetWindowFNID  (65770, 680, ... ) == 0x1
 04062   476   NtUserSetWindowLong  (65770, 0, 1416008, 0, ... ) == 0x0
 04063   476   NtUserMessageCall  (0x100ea, WM_NCCREATE, 0x0, 0x12f6bc, 0, 670, 1, ... ) == 0x1
 04064   476   NtUserMessageCall  (0x100ea, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04065   476   NtUserSetProp  (65770, 43288, -1, ... ) == 0x1
 04060   476   NtUserCreateWindowEx  ... ) == 0x100ea
 04066   476   NtUserGetAtomName  (49177, 1242912, ... ) == 0x6
 04067   476   NtUserCreateWindowEx  (-2147483644, 49177, 49177,  (-2147483644, 49177, 49177, "Dial prefix", 1342308352, 8, 125, 45, 15, 65762, -1, 4194304, 0, 1073742848, 0, ... , 1342308352, 8, 125, 45, 15, 65762, -1, 4194304, 0, 1073742848, 0, ...
 04068   476   NtUserSetWindowFNID  (65772, 680, ... ) == 0x1
 04069   476   NtUserSetWindowLong  (65772, 0, 1415984, 0, ... ) == 0x0
 04070   476   NtUserMessageCall  (0x100ec, WM_NCCREATE, 0x0, 0x12f6b0, 0, 670, 1, ... ) == 0x1
 04071   476   NtUserMessageCall  (0x100ec, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04072   476   NtUserSetProp  (65772, 43288, -1, ... ) == 0x1
 04067   476   NtUserCreateWindowEx  ... ) == 0x100ec
 04073   476   NtUserGetAtomName  (49176, 1242912, ... ) == 0x4
 04074   476   NtUserCreateWindowEx  (-2147483132, 49176, 49176, "", 1476468736, 74, 120, 18, 20, 65762, 206, 4194304, 0, 1073742848, 0, ...
 04075   476   NtUserSetWindowFNID  (65774, 677, ... ) == 0x1
 04076   476   NtUserSetWindowLong  (65774, 0, 1431456, 0, ... ) == 0x0
 04077   476   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 11337728, 524288, ) == 0x0
 04078   476   NtAllocateVirtualMemory  (-1, 11337728, 0, 4096, 4096, 4, ... 11337728, 4096, ) == 0x0
 04079   476   NtUserMessageCall  (0x100ee, WM_NCCREATE, 0x0, 0x12f6c4, 0, 670, 1, ... ) == 0x1
 04080   476   NtUserMessageCall  (0x100ee, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04081   476   NtUserGetClassName  (65762, 0, 1241792, ... ) == 0x6
 04082   476   NtUserSetProp  (65774, 43288, -1, ... ) == 0x1
 04083   476   NtUserGetDC  (65774, ... ) == 0x1010053
 04084   476   NtGdiIntersectClipRect  (16842835, 0, 0, 0, 0, ... ) == 0x3
 04085   476   NtGdiGetTextCharsetInfo  (16842835, 0, 0, ... ) == 0x0
 04086   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04087   476   NtUserGetDC  (65774, ... ) == 0x1010053
 04088   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04089   476   NtUserInvalidateRect  (65774, 0, 1, ... ) == 0x1
 04074   476   NtUserCreateWindowEx  ... ) == 0x100ee
 04090   476   NtUserGetDC  (65774, ... ) == 0x1010051
 04091   476   NtGdiGetTextFaceW  (16842833, 32, 1243584, 0, ... ) == 0xe
 04092   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 04093   476   NtUserGetAtomName  (49175, 1242912, ... ) == 0x6
 04094   476   NtUserCreateWindowEx  (-2147483644, 49175, 49175,  (-2147483644, 49175, 49175, "Read me first", 1342177287, 8, 10, 300, 70, 65762, -1, 4194304, 0, 1073742848, 0, ... , 1342177287, 8, 10, 300, 70, 65762, -1, 4194304, 0, 1073742848, 0, ...
 04095   476   NtUserSetWindowFNID  (65776, 673, ... ) == 0x1
 04096   476   NtUserSetWindowLong  (65776, 0, 1423760, 0, ... ) == 0x0
 04097   476   NtUserMessageCall  (0x100f0, WM_NCCREATE, 0x0, 0x12f6ac, 0, 670, 1, ... ) == 0x1
 04098   476   NtUserMessageCall  (0x100f0, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04099   476   NtUserSetProp  (65776, 43288, -1, ... ) == 0x1
 04094   476   NtUserCreateWindowEx  ... ) == 0x100f0
 04100   476   NtUserGetAtomName  (49177, 1242912, ... ) == 0x6
 04101   476   NtUserCreateWindowEx  (-2147483644, 49177, 49177, "", 1342308352, 18, 26, 281, 42, 65762, 205, 4194304, 0, 1073742848, 0, ...
 04102   476   NtUserSetWindowFNID  (65778, 680, ... ) == 0x1
 04103   476   NtUserSetWindowLong  (65778, 0, 1415960, 0, ... ) == 0x0
 04104   476   NtUserMessageCall  (0x100f2, WM_NCCREATE, 0x0, 0x12f6c4, 0, 670, 1, ... ) == 0x1
 04105   476   NtUserMessageCall  (0x100f2, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04106   476   NtUserSetProp  (65778, 43288, -1, ... ) == 0x1
 04101   476   NtUserCreateWindowEx  ... ) == 0x100f2
 04107   476   NtUserGetAtomName  (49178, 1242912, ... ) == 0x7
 04108   476   NtUserCreateWindowEx  (-2147483132, 49178, 49178, "", 1344340224, 74, 151, 234, 20, 65762, 204, 4194304, 0, 1073742848, 0, ...
 04109   476   NtUserSetWindowFNID  (65780, 678, ... ) == 0x1
 04110   476   NtUserSetWindowLong  (65780, 0, 1407928, 0, ... ) == 0x0
 04111   476   NtUserMessageCall  (0x100f4, WM_NCCREATE, 0x0, 0x12f6c4, 0, 670, 1, ... ) == 0x1
 04112   476   NtUserMessageCall  (0x100f4, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04113   476   NtUserGetClassName  (65762, 0, 1241792, ... ) == 0x6
 04114   476   NtUserGetClassName  (65780, 0, 1242060, ... ) == 0x7
 04115   476   NtUserRemoveProp  (65780, 43282, ... ) == 0x0
 04116   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 20, 1442720, 1311152, 0}  (24, {24, 52, new_msg, 0, 20, 1442720, 1311152, 0} "\0\0\0\0\5\4\3\0\6\0\0\0\10\362\22#\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1584, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\10\362\22#\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1584, 0}  (24, {24, 52, new_msg, 0, 20, 1442720, 1311152, 0} "\0\0\0\0\5\4\3\0\6\0\0\0\10\362\22#\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1584, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\10\362\22#\334\1\0\0\0\0\0\0" )  ) == 0x0
 04117   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04118   476   NtUserGetObjectInformation  (44, 2, 1241732, 520, 0, ... ) == 0x1
 04119   476   NtAllocateVirtualMemory  (-1, 8683520, 0, 4096, 4096, 4, ... 8683520, 4096, ) == 0x0
 04120   476   NtUserSetProp  (65780, 43288, 8682992, ... ) == 0x1
 04121   476   NtUserGetDC  (65780, ... ) == 0x1010053
 04122   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04123   476   NtUserSetScrollInfo  (65780, 1, 1242272, 0, ...
 04124   476   NtUserMessageCall  (0x100f4, WM_NCCALCSIZE, 0x1, 0x12f3a4, 0, 670, 1, ... ) == 0x0
 04125   476   NtUserSetScrollInfo  (65780, 1, 1240840, 0, ... ) == 0x0
 04126   476   NtUserSBGetParms  (65780, 1, 5561284, 1240704, ... ) == 0x1
 04127   476   NtUserSetProp  (65780, 43285, 8684144, ... ) == 0x1
 04128   476   NtUserRemoveProp  (65780, 43282, ... ) == 0x0
 04129   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 0, 0, 0, 2010406685}  (24, {24, 52, new_msg, 0, 0, 0, 0, 2010406685} "\0\0\0\0\5\4\3\0\347\377\377\377\1\0\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1585, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1585, 0}  (24, {24, 52, new_msg, 0, 0, 0, 0, 2010406685} "\0\0\0\0\5\4\3\0\347\377\377\377\1\0\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1585, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\1\0\0\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 04130   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04131   476   NtUserGetObjectInformation  (44, 2, 1239924, 520, 0, ... ) == 0x1
 04132   476   NtUserSBGetParms  (65780, 1, 5561284, 1240596, ... ) == 0x1
 04133   476   NtUserSetWindowLong  (65780, -16, 1073807616, 0, ... ) == 0x40010100
 04134   476   NtUserSBGetParms  (65780, 0, 5561268, 1240596, ... ) == 0x1
 04135   476   NtUserGetScrollBarInfo  (65780, -6, 1240460, ... ) == 0x1
 04136   476   NtUserGetWindowDC  (65780, ... ) == 0x1010053
 04137   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04138   476   NtUserSetWindowLong  (65780, -16, 1073807616, 0, ... ) == 0x40010100
 04139   476   NtUserRemoveProp  (65780, 43285, ... ) == 0x848270
 04123   476   NtUserSetScrollInfo  ... ) == 0x0
 04140   476   NtUserSBGetParms  (65780, 1, 5561284, 1242136, ... ) == 0x1
 04141   476   NtUserSetProp  (65780, 43285, 8684144, ... ) == 0x1
 04142   476   NtUserRemoveProp  (65780, 43282, ... ) == 0x0
 04143   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 0, 0, 1241212, 1241312}  (24, {24, 52, new_msg, 0, 0, 0, 1241212, 1241312} "\0\0\0\0\5\4\3\0 \267\325w\377\377\377\377\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1586, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\377\377\377\377\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1586, 0}  (24, {24, 52, new_msg, 0, 0, 0, 1241212, 1241312} "\0\0\0\0\5\4\3\0 \267\325w\377\377\377\377\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1586, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\377\377\377\377\334\1\0\0\0\0\0\0" )  ) == 0x0
 04144   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04145   476   NtUserGetObjectInformation  (44, 2, 1241356, 520, 0, ... ) == 0x1
 04146   476   NtUserSBGetParms  (65780, 1, 5561284, 1242028, ... ) == 0x1
 04147   476   NtUserSetWindowLong  (65780, -16, 1073807616, 0, ... ) == 0x40010100
 04148   476   NtUserSBGetParms  (65780, 0, 5561268, 1242028, ... ) == 0x1
 04149   476   NtUserGetScrollBarInfo  (65780, -6, 1241892, ... ) == 0x1
 04150   476   NtUserGetWindowDC  (65780, ... ) == 0x1010053
 04151   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04152   476   NtUserSetWindowLong  (65780, -16, 1073807616, 0, ... ) == 0x40010100
 04153   476   NtUserRemoveProp  (65780, 43285, ... ) == 0x848270
 04154   476   NtUserGetWindowDC  (65780, ... ) == 0x1010053
 04155   476   NtUserSetProp  (65780, 43285, 8684144, ... ) == 0x1
 04156   476   NtUserRemoveProp  (65780, 43282, ... ) == 0x0
 04157   476   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 8683976, 8683028, 8682992, 60}  (24, {24, 52, new_msg, 0, 8683976, 8683028, 8682992, 60} "\0\0\0\0\5\4\3\0\227\2\0\0\313\1\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1587, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\313\1\0\0\334\1\0\0\0\0\0\0" )  ... {24, 52, reply, 0, 464, 476, 1587, 0}  (24, {24, 52, new_msg, 0, 8683976, 8683028, 8682992, 60} "\0\0\0\0\5\4\3\0\227\2\0\0\313\1\0\0\334\1\0\0\0\0\0\0" ... {24, 52, reply, 0, 464, 476, 1587, 0} "\0\0\0\0\5\4\3\0\0\0\0\0\313\1\0\0\334\1\0\0\0\0\0\0" )  ) == 0x0
 04158   476   NtUserGetThreadDesktop  (476, 0, ... ) == 0x2c
 04159   476   NtUserGetObjectInformation  (44, 2, 1241192, 520, 0, ... ) == 0x1
 04160   476   NtUserSBGetParms  (65780, 1, 5561284, 1241864, ... ) == 0x1
 04161   476   NtUserSetWindowLong  (65780, -16, 1073807616, 0, ... ) == 0x40010100
 04162   476   NtUserSBGetParms  (65780, 0, 5561268, 1241864, ... ) == 0x1
 04163   476   NtUserGetScrollBarInfo  (65780, -6, 1241728, ... ) == 0x1
 04164   476   NtUserGetWindowDC  (65780, ... ) == 0x1010051
 04165   476   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 04166   476   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 04108   476   NtUserCreateWindowEx  ... ) == 0x100f4
 04167   476   NtUserGetDC  (65780, ... ) == 0x1010052
 04168   476   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 04169   476   NtUserGetAtomName  (49177, 1242912, ... ) == 0x6
 04170   476   NtUserCreateWindowEx  (-2147483644, 49177, 49177,  (-2147483644, 49177, 49177, "Status", 1342308352, 8, 154, 60, 16, 65762, -1, 4194304, 0, 1073742848, 0, ... , 1342308352, 8, 154, 60, 16, 65762, -1, 4194304, 0, 1073742848, 0, ...
 04171   476   NtUserSetWindowFNID  (65782, 680, ... ) == 0x1
 04172   476   NtUserSetWindowLong  (65782, 0, 1415936, 0, ... ) == 0x0
 04173   476   NtUserMessageCall  (0x100f6, WM_NCCREATE, 0x0, 0x12f6b8, 0, 670, 1, ... ) == 0x1
 04174   476   NtUserMessageCall  (0x100f6, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04175   476   NtUserSetProp  (65782, 43288, -1, ... ) == 0x1
 04170   476   NtUserCreateWindowEx  ... ) == 0x100f6
 04176   476   NtUserGetAtomName  (49175, 1242912, ... ) == 0x6
 04177   476   NtUserCreateWindowEx  (-2147483644, 49175, 49175,  (-2147483644, 49175, 49175, "&Help", 1342242816, 188, 185, 38, 24, 65762, 209, 4194304, 0, 1073742848, 0, ... , 1342242816, 188, 185, 38, 24, 65762, 209, 4194304, 0, 1073742848, 0, ...
 04178   476   NtUserSetWindowFNID  (65784, 673, ... ) == 0x1
 04179   476   NtUserSetWindowLong  (65784, 0, 1423740, 0, ... ) == 0x0
 04180   476   NtUserMessageCall  (0x100f8, WM_NCCREATE, 0x0, 0x12f6bc, 0, 670, 1, ... ) == 0x1
 04181   476   NtUserMessageCall  (0x100f8, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04182   476   NtUserSetProp  (65784, 43288, -1, ... ) == 0x1
 04177   476   NtUserCreateWindowEx  ... ) == 0x100f8
 04183   476   NtUserGetAtomName  (49177, 1242912, ... ) == 0x6
 04184   476   NtUserCreateWindowEx  (-2147483644, 49177, 49177,  (-2147483644, 49177, 49177, "(optional prefix to access an outside line)", 1342308352, 101, 124, 195, 13, 65762, -1, 4194304, 0, 1073742848, 0, ... , 1342308352, 101, 124, 195, 13, 65762, -1, 4194304, 0, 1073742848, 0, ...
 04185   476   NtUserSetWindowFNID  (65786, 680, ... ) == 0x1
 04186   476   NtUserSetWindowLong  (65786, 0, 1415912, 0, ... ) == 0x0
 04187   476   NtUserMessageCall  (0x100fa, WM_NCCREATE, 0x0, 0x12f670, 0, 670, 1, ... ) == 0x1
 04188   476   NtUserMessageCall  (0x100fa, WM_NCCALCSIZE, 0x0, 0x12f6f4, 0, 670, 1, ... ) == 0x0
 04189   476   NtUserSetProp  (65786, 43288, -1, ... ) == 0x1
 04184   476   NtUserCreateWindowEx  ... ) == 0x100fa
 04190   476   NtUserSetWindowLong  (65762, -21, 74565, 1, ... ) == 0x0
 04191   476   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004a, 0x100dc, 0x100aa, 0x100a8, 0x100a6, 0x20066, 0x20062, 0x10080, 0x10074, 0x10068, 0x30048, 0x3004c, 0x3003a, 0x1009c, 0x10090, 0x1007c, 0x10026, 0x100e2, 0x100d8, 0x100d0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x20060, 0x100e8, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x5004e, 0x40052, 0x70030, 0x1007e, 0x10076, 0x1, ), 42, ) == 0x0
 04192   476   NtQueryDefaultLocale  (1, 1242584, ... ) == 0x0
 04193   476   NtQueryDefaultLocale  (1, 1241456, ... ) == 0x0
 04194   476   NtQueryDefaultLocale  (1, 1240848, ... ) == 0x0
 04195   476   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Delsim\Connection\del"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 04196   476   NtQueryValueKey  (308,  (308, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04197   476   NtClose  (308, ... ) == 0x0
 04198   476   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "RemoteAccess"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04199   476   NtQueryDefaultLocale  (1, 1240020, ... ) == 0x0
 04200   476   NtQueryDefaultLocale  (1, 1239412, ... ) == 0x0
 04201   476   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "Software\Delsim\Connection\del"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 04202   476   NtSetValueKey  (308,  (308, "Default", 0, 1, "\353\0\1\0\0\0", 6, ... ) , 0, 1,  (308, "Default", 0, 1, "\353\0\1\0\0\0", 6, ... ) , 6, ... ) == 0x0
 04203   476   NtSetValueKey  (308,  (308, "InternetProfile", 0, 1, "", 0, ... , 0, 1, "", 0, ...
 04204   476   NtSetInformationFile  (-2147482732, -136215180, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 04203   476   NtSetValueKey  ... ) == 0x0
 04205   476   NtClose  (308, ... ) == 0x0
 04206   476   NtQueryDefaultLocale  (1, 1241440, ... ) == 0x0
 04207   476   NtQueryDefaultLocale  (1, 1240832, ... ) == 0x0
 04208   476   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Delsim\Connection\del"}, ... 308, ) }, ... 308, ) == 0x0
 04209   476   NtQueryValueKey  (308,  (308, "cc", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04210   476   NtClose  (308, ... ) == 0x0
 04211   476   NtQueryValueKey  (72,  (72, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04212   476   NtQueryValueKey  (72,  (72, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04213   476   NtQueryValueKey  (72,  (72, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04214   476   NtQueryValueKey  (72,  (72, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04215   476   NtQueryValueKey  (72,  (72, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04216   476   NtQueryValueKey  (72,  (72, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04217   476   NtQueryValueKey  (72,  (72, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04218   476   NtQueryValueKey  (72,  (72, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04219   476   NtQueryValueKey  (72,  (72, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04220   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04221   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1237188, ... ) }, 1237188, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04222   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1237188, ... ) }, 1237188, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04223   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1237188, ... ) }, 1237188, ... ) == 0x0
 04224   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 308, {status=0x0, info=1}, ) }, 5, 96, ... 308, {status=0x0, info=1}, ) == 0x0
 04225   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 308, ... 216, ) == 0x0
 04226   476   NtQuerySection  (216, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04227   476   NtClose  (308, ... ) == 0x0
 04228   476   NtMapViewOfSection  (216, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 04229   476   NtClose  (216, ... ) == 0x0
 04230   476   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 216, ) == 0x0
 04231   476   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 308, ) == 0x0
 04232   476   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 316, ) }, ... 316, ) == 0x0
 04233   476   NtQueryEvent  (316, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 04234   476   NtClose  (316, ... ) == 0x0
 04235   476   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1238672, 140, ... 316, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1238672, 140, ... 316, 0x0, 0x0, 256, 140, ) == 0x0
 04236   476   NtRequestWaitReplyPort  (316, {28, 52, new_msg, 0, 0, 0, 0, 0}  (316, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\350\213\25\0" ... {176, 200, reply, 0, 464, 476, 1589, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 464, 476, 1589, 0}  (316, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\350\213\25\0" ... {176, 200, reply, 0, 464, 476, 1589, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 04237   476   NtQueryValueKey  (72,  (72, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04238   476   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 04239   476   NtQueryValueKey  (312,  (312, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04240   476   NtClose  (312, ... ) == 0x0
 04241   476   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 04242   476   NtQueryValueKey  (312,  (312, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04243   476   NtClose  (312, ... ) == 0x0
 04244   476   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 312, ) }, ... 312, ) == 0x0
 04245   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 320, ) }, ... 320, ) == 0x0
 04246   476   NtQueryValueKey  (320,  (320, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (320, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04247   476   NtClose  (320, ... ) == 0x0
 04248   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 320, ) }, ... 320, ) == 0x0
 04249   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 324, ) }, ... 324, ) == 0x0
 04250   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 328, ) }, ... 328, ) == 0x0
 04251   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 332, ) }, ... 332, ) == 0x0
 04252   476   NtQueryValueKey  (332,  (332, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 04253   476   NtQueryValueKey  (332,  (332, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 04254   476   NtClose  (332, ... ) == 0x0
 04255   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 332, ) }, ... 332, ) == 0x0
 04256   476   NtQueryValueKey  (332,  (332, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 04257   476   NtQueryValueKey  (332,  (332, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 04258   476   NtQueryValueKey  (332,  (332, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 04259   476   NtQueryValueKey  (332,  (332, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 04260   476   NtQueryValueKey  (332,  (332, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 04261   476   NtQueryValueKey  (332,  (332, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (332, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 04262   476   NtClose  (332, ... ) == 0x0
 04263   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Content"}, ... 332, ) }, ... 332, ) == 0x0
 04264   476   NtQueryValueKey  (332,  (332, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04265   476   NtClose  (332, ... ) == 0x0
 04266   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Content"}, ... 332, ) }, ... 332, ) == 0x0
 04267   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04268   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 04269   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 04270   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04271   476   NtQueryValueKey  (336,  (336, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 04272   476   NtClose  (336, ... ) == 0x0
 04273   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1235900, ... ) }, 1235900, ... ) == 0x0
 04274   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04275   476   NtSetValueKey  (336,  (336, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (336, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 04276   476   NtClose  (336, ... ) == 0x0
 04277   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1237232, ... ) }, 1237232, ... ) == 0x0
 04278   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1236964, ... ) }, 1236964, ... ) == 0x0
 04279   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 336, {status=0x0, info=1}, ) }, 7, 2113568, ... 336, {status=0x0, info=1}, ) == 0x0
 04280   476   NtSetInformationFile  (336, 1236940, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04281   476   NtClose  (336, ... ) == 0x0
 04282   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1236964, ... ) }, 1236964, ... ) == 0x0
 04283   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04284   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04285   476   NtQueryValueKey  (332,  (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 04286   476   NtOpenKey  (0xf, {24, 28, 0x40, 0, 0,  (0xf, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 336, ) }, ... 336, ) == 0x0
 04287   476   NtOpenKey  (0xf, {24, 336, 0x40, 0, 0,  (0xf, {24, 336, 0x40, 0, 0, "Paths"}, ... 340, ) }, ... 340, ) == 0x0
 04288   476   NtOpenKey  (0xf, {24, 340, 0x40, 0, 0,  (0xf, {24, 340, 0x40, 0, 0, "Path1"}, ... 344, ) }, ... 344, ) == 0x0
 04289   476   NtOpenKey  (0xf, {24, 340, 0x40, 0, 0,  (0xf, {24, 340, 0x40, 0, 0, "Path2"}, ... 348, ) }, ... 348, ) == 0x0
 04290   476   NtOpenKey  (0xf, {24, 340, 0x40, 0, 0,  (0xf, {24, 340, 0x40, 0, 0, "Path3"}, ... 352, ) }, ... 352, ) == 0x0
 04291   476   NtOpenKey  (0xf, {24, 340, 0x40, 0, 0,  (0xf, {24, 340, 0x40, 0, 0, "Path4"}, ... 356, ) }, ... 356, ) == 0x0
 04292   476   NtOpenKey  (0xf, {24, 336, 0x40, 0, 0,  (0xf, {24, 336, 0x40, 0, 0, "Special Paths"}, ... 360, ) }, ... 360, ) == 0x0
 04293   476   NtSetValueKey  (340,  (340, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (340, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 04294   476   NtSetValueKey  (340,  (340, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (340, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 04295   476   NtSetValueKey  (344,  (344, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (344, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 04296   476   NtSetValueKey  (348,  (348, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (348, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 04297   476   NtSetValueKey  (352,  (352, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (352, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 04298   476   NtSetValueKey  (356,  (356, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (356, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 04299   476   NtSetValueKey  (344,  (344, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (344, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 04300   476   NtSetValueKey  (348,  (348, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (348, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 04301   476   NtSetValueKey  (352,  (352, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (352, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 04302   476   NtSetValueKey  (356,  (356, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (356, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 04303   476   NtClose  (356, ... ) == 0x0
 04304   476   NtClose  (352, ... ) == 0x0
 04305   476   NtClose  (348, ... ) == 0x0
 04306   476   NtClose  (344, ... ) == 0x0
 04307   476   NtClose  (340, ... ) == 0x0
 04308   476   NtClose  (360, ... ) == 0x0
 04309   476   NtClose  (336, ... ) == 0x0
 04310   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Cookies"}, ... 336, ) }, ... 336, ) == 0x0
 04311   476   NtQueryValueKey  (336,  (336, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04312   476   NtClose  (336, ... ) == 0x0
 04313   476   NtClose  (332, ... ) == 0x0
 04314   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "Cookies"}, ... 332, ) }, ... 332, ) == 0x0
 04315   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04316   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 04317   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 04318   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04319   476   NtQueryValueKey  (336,  (336, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 04320   476   NtClose  (336, ... ) == 0x0
 04321   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1235900, ... ) }, 1235900, ... ) == 0x0
 04322   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04323   476   NtSetValueKey  (336,  (336, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (336, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 04324   476   NtClose  (336, ... ) == 0x0
 04325   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1237232, ... ) }, 1237232, ... ) == 0x0
 04326   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 04327   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 04328   476   NtQueryValueKey  (332,  (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04329   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "History"}, ... 336, ) }, ... 336, ) == 0x0
 04330   476   NtQueryValueKey  (336,  (336, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (336, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04331   476   NtClose  (336, ... ) == 0x0
 04332   476   NtClose  (332, ... ) == 0x0
 04333   476   NtOpenKey  (0xf, {24, 324, 0x40, 0, 0,  (0xf, {24, 324, 0x40, 0, 0, "History"}, ... 332, ) }, ... 332, ) == 0x0
 04334   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04335   476   NtReleaseSemaphore  (100, 1, ... 0, ) == 0x0
 04336   476   NtWaitForSingleObject  (100, 0, {0, 0}, ... ) == 0x0
 04337   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04338   476   NtQueryValueKey  (336,  (336, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (336, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 04339   476   NtClose  (336, ... ) == 0x0
 04340   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1235900, ... ) }, 1235900, ... ) == 0x0
 04341   476   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 336, 2, ) }, 0, 0x0, 0, ... 336, 2, ) == 0x0
 04342   476   NtSetValueKey  (336,  (336, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (336, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 04343   476   NtClose  (336, ... ) == 0x0
 04344   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1237232, ... ) }, 1237232, ... ) == 0x0
 04345   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1236964, ... ) }, 1236964, ... ) == 0x0
 04346   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 336, {status=0x0, info=1}, ) }, 7, 2113568, ... 336, {status=0x0, info=1}, ) == 0x0
 04347   476   NtSetInformationFile  (336, 1236940, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04348   476   NtClose  (336, ... ) == 0x0
 04349   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1236964, ... ) }, 1236964, ... ) == 0x0
 04350   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04351   476   NtQueryValueKey  (332,  (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (332, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 04352   476   NtQueryValueKey  (332,  (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (332, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04353   476   NtClose  (332, ... ) == 0x0
 04354   476   NtClose  (328, ... ) == 0x0
 04355   476   NtClose  (320, ... ) == 0x0
 04356   476   NtClose  (324, ... ) == 0x0
 04357   476   NtClose  (312, ... ) == 0x0
 04358   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 312, ) }, ... 312, ) == 0x0
 04359   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 324, ) }, ... 324, ) == 0x0
 04360   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04361   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 320, {status=0x0, info=1}, ) }, 3, 8388641, ... 320, {status=0x0, info=1}, ) == 0x0
 04362   476   NtQueryVolumeInformationFile  (320, 1238484, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04363   476   NtClose  (320, ... ) == 0x0
 04364   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 320, {status=0x0, info=1}, ) }, 3, 8388641, ... 320, {status=0x0, info=1}, ) == 0x0
 04365   476   NtQueryVolumeInformationFile  (320, 1238508, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04366   476   NtClose  (320, ... ) == 0x0
 04367   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 04368   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 320, {status=0x0, info=1}, ) }, 7, 2113568, ... 320, {status=0x0, info=1}, ) == 0x0
 04369   476   NtSetInformationFile  (320, 1238812, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04370   476   NtClose  (320, ... ) == 0x0
 04371   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238828,  (0xc0100080, {24, 0, 0x40, 1374736, 1238828, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 04372   476   NtSetInformationFile  (320, 1238880, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04373   476   NtQueryInformationFile  (320, 1238880, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04374   476   NtClose  (320, ... ) == 0x0
 04375   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238812,  (0xc0100080, {24, 0, 0x40, 1374736, 1238812, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 320, {status=0x0, info=1}, ) == 0x0
 04376   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 328, ) }, ... 328, ) == 0x0
 04377   476   NtMapViewOfSection  (328, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa90000), {0, 0}, 32768, ) == 0x0
 04378   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04379   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 332, ) }, ... 332, ) == 0x0
 04380   476   NtWaitForSingleObject  (332, 0, 0x0, ... ) == 0x0
 04381   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 336, {status=0x0, info=1}, ) }, 3, 8388641, ... 336, {status=0x0, info=1}, ) == 0x0
 04382   476   NtQueryVolumeInformationFile  (336, 1238484, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04383   476   NtClose  (336, ... ) == 0x0
 04384   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 336, {status=0x0, info=1}, ) }, 3, 8388641, ... 336, {status=0x0, info=1}, ) == 0x0
 04385   476   NtQueryVolumeInformationFile  (336, 1238508, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04386   476   NtClose  (336, ... ) == 0x0
 04387   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 04388   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 336, {status=0x0, info=1}, ) }, 7, 2113568, ... 336, {status=0x0, info=1}, ) == 0x0
 04389   476   NtSetInformationFile  (336, 1238812, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04390   476   NtClose  (336, ... ) == 0x0
 04391   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238828,  (0xc0100080, {24, 0, 0x40, 1374736, 1238828, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 04392   476   NtSetInformationFile  (336, 1238880, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04393   476   NtQueryInformationFile  (336, 1238880, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04394   476   NtClose  (336, ... ) == 0x0
 04395   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238812,  (0xc0100080, {24, 0, 0x40, 1374736, 1238812, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 336, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 336, {status=0x0, info=1}, ) == 0x0
 04396   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 360, ) }, ... 360, ) == 0x0
 04397   476   NtMapViewOfSection  (360, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xaa0000), {0, 0}, 16384, ) == 0x0
 04398   476   NtReleaseMutant  (332, ... 0x0, ) == 0x0
 04399   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 340, ) }, ... 340, ) == 0x0
 04400   476   NtWaitForSingleObject  (340, 0, 0x0, ... ) == 0x0
 04401   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 344, {status=0x0, info=1}, ) }, 3, 8388641, ... 344, {status=0x0, info=1}, ) == 0x0
 04402   476   NtQueryVolumeInformationFile  (344, 1238484, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04403   476   NtClose  (344, ... ) == 0x0
 04404   476   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 344, {status=0x0, info=1}, ) }, 3, 8388641, ... 344, {status=0x0, info=1}, ) == 0x0
 04405   476   NtQueryVolumeInformationFile  (344, 1238508, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 04406   476   NtClose  (344, ... ) == 0x0
 04407   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 04408   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 344, {status=0x0, info=1}, ) }, 7, 2113568, ... 344, {status=0x0, info=1}, ) == 0x0
 04409   476   NtSetInformationFile  (344, 1238812, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04410   476   NtClose  (344, ... ) == 0x0
 04411   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238828,  (0xc0100080, {24, 0, 0x40, 1374736, 1238828, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 04412   476   NtSetInformationFile  (344, 1238880, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04413   476   NtQueryInformationFile  (344, 1238880, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04414   476   NtClose  (344, ... ) == 0x0
 04415   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374736, 1238812,  (0xc0100080, {24, 0, 0x40, 1374736, 1238812, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 04416   476   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 348, ) }, ... 348, ) == 0x0
 04417   476   NtMapViewOfSection  (348, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xab0000), {0, 0}, 32768, ) == 0x0
 04418   476   NtReleaseMutant  (340, ... 0x0, ) == 0x0
 04419   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1238892, ... ) }, 1238892, ... ) == 0x0
 04420   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 352, {status=0x0, info=1}, ) }, 7, 2113568, ... 352, {status=0x0, info=1}, ) == 0x0
 04421   476   NtSetInformationFile  (352, 1238868, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04422   476   NtClose  (352, ... ) == 0x0
 04423   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1238892, ... ) }, 1238892, ... ) == 0x0
 04424   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1238892, ... ) }, 1238892, ... ) == 0x0
 04425   476   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 352, {status=0x0, info=1}, ) }, 7, 2113568, ... 352, {status=0x0, info=1}, ) == 0x0
 04426   476   NtSetInformationFile  (352, 1238868, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 04427   476   NtClose  (352, ... ) == 0x0
 04428   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1238892, ... ) }, 1238892, ... ) == 0x0
 04429   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04430   476   NtQueryInformationFile  (320, 1237276, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04431   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04432   476   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 352, ) }, ... 352, ) == 0x0
 04433   476   NtOpenKey  (0xf, {24, 352, 0x40, 0, 0,  (0xf, {24, 352, 0x40, 0, 0, "Extensible Cache"}, ... 356, ) }, ... 356, ) == 0x0
 04434   476   NtClose  (352, ... ) == 0x0
 04435   476   NtWaitForSingleObject  (312, 0, {-600000000, -1}, ... ) == 0x0
 04436   476   NtEnumerateKey  (356, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (356, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 04437   476   NtOpenKey  (0xf, {24, 356, 0x40, 0, 0,  (0xf, {24, 356, 0x40, 0, 0, "MSHist012007051420070521"}, ... 352, ) }, ... 352, ) == 0x0
 04438   476   NtQueryValueKey  (352,  (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04439   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04440   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04441   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04442   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04443   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04444   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04445   476   NtQueryValueKey  (352,  (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04446   476   NtQueryValueKey  (352,  (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04447   476   NtClose  (352, ... ) == 0x0
 04448   476   NtEnumerateKey  (356, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (356, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 04449   476   NtOpenKey  (0xf, {24, 356, 0x40, 0, 0,  (0xf, {24, 356, 0x40, 0, 0, "MSHist012007052120070528"}, ... 352, ) }, ... 352, ) == 0x0
 04450   476   NtQueryValueKey  (352,  (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04451   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04452   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04453   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04454   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04455   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04456   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04457   476   NtQueryValueKey  (352,  (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04458   476   NtQueryValueKey  (352,  (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04459   476   NtClose  (352, ... ) == 0x0
 04460   476   NtEnumerateKey  (356, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (356, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 04461   476   NtOpenKey  (0xf, {24, 356, 0x40, 0, 0,  (0xf, {24, 356, 0x40, 0, 0, "MSHist012007053120070601"}, ... 352, ) }, ... 352, ) == 0x0
 04462   476   NtQueryValueKey  (352,  (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04463   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04464   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04465   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04466   476   NtQueryValueKey  (352,  (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (352, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 04467   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04468   476   NtQueryValueKey  (352,  (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (352, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 04469   476   NtQueryValueKey  (352,  (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 04470   476   NtQueryValueKey  (352,  (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (352, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04471   476   NtClose  (352, ... ) == 0x0
 04472   476   NtEnumerateKey  (356, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 04473   476   NtReleaseMutant  (312, ... 0x0, ) == 0x0
 04474   476   NtClose  (356, ... ) == 0x0
 04475   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04476   476   NtQueryInformationFile  (320, 1239204, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04477   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04478   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04479   476   NtQueryInformationFile  (320, 1239276, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04480   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04481   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04482   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04483   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04484   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04485   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04486   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 356, ) }, ... 356, ) == 0x0
 04487   476   NtQueryValueKey  (356,  (356, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04488   476   NtClose  (356, ... ) == 0x0
 04489   476   NtQueryValueKey  (72,  (72, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04490   476   NtQueryValueKey  (72,  (72, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04491   476   NtQueryValueKey  (72,  (72, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04492   476   NtQueryValueKey  (72,  (72, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04493   476   NtQueryValueKey  (72,  (72, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04494   476   NtQueryValueKey  (72,  (72, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04495   476   NtQueryValueKey  (72,  (72, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04496   476   NtQueryValueKey  (72,  (72, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04497   476   NtQueryValueKey  (72,  (72, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04498   476   NtQueryValueKey  (72,  (72, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04499   476   NtQueryValueKey  (72,  (72, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04500   476   NtQueryValueKey  (72,  (72, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04501   476   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 356, ) }, ... 356, ) == 0x0
 04502   476   NtQueryValueKey  (356,  (356, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04503   476   NtClose  (356, ... ) == 0x0
 04504   476   NtQueryValueKey  (72,  (72, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04505   476   NtQueryValueKey  (72,  (72, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04506   476   NtQueryValueKey  (72,  (72, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04507   476   NtQueryValueKey  (72,  (72, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04508   476   NtQueryValueKey  (72,  (72, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04509   476   NtQueryValueKey  (72,  (72, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04510   476   NtQueryValueKey  (72,  (72, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04511   476   NtQueryValueKey  (72,  (72, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04512   476   NtQueryValueKey  (72,  (72, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04513   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 356, ) }, ... 356, ) == 0x0
 04514   476   NtQueryValueKey  (356,  (356, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04515   476   NtClose  (356, ... ) == 0x0
 04516   476   NtQueryValueKey  (72,  (72, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04517   476   NtQueryValueKey  (72,  (72, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04518   476   NtQueryValueKey  (72,  (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04519   476   NtQueryValueKey  (72,  (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04520   476   NtQueryValueKey  (72,  (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04521   476   NtQueryValueKey  (72,  (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (72, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 04522   476   NtQueryValueKey  (72,  (72, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04523   476   NtQueryValueKey  (72,  (72, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04524   476   NtQueryValueKey  (72,  (72, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04525   476   NtQueryValueKey  (72,  (72, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04526   476   NtQueryValueKey  (72,  (72, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (72, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04527   476   NtQueryValueKey  (72,  (72, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04528   476   NtQueryValueKey  (72,  (72, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04529   476   NtQueryValueKey  (72,  (72, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04530   476   NtQueryValueKey  (72,  (72, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04531   476   NtQueryValueKey  (72,  (72, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04532   476   NtQueryValueKey  (72,  (72, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04533   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 356, ) }, ... 356, ) == 0x0
 04534   476   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 352, ) == 0x0
 04535   476   NtQueryValueKey  (72,  (72, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04536   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04537   476   NtQueryInformationFile  (320, 1239252, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04538   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04539   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 364, ) }, ... 364, ) == 0x0
 04540   476   NtCreateMutant  (0x1f0001, 0x0, 0, ... 368, ) == 0x0
 04541   476   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 372, ) }, ... 372, ) == 0x0
 04542   476   NtQueryValueKey  (72,  (72, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04543   476   NtQueryValueKey  (72,  (72, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (72, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04544   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 376, ) }, ... 376, ) == 0x0
 04545   476   NtQueryValueKey  (376,  (376, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 04546   476   NtQueryValueKey  (376,  (376, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 04547   476   NtClose  (376, ... ) == 0x0
 04548   476   NtAllocateVirtualMemory  (-1, 1445888, 0, 4096, 4096, 4, ... 1445888, 4096, ) == 0x0
 04549   476   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 376, ) == 0x0
 04550   476   NtWaitForSingleObject  (376, 0, 0x0, ... ) == 0x0
 04551   476   NtClearEvent  (376, ... ) == 0x0
 04552   476   NtSetEvent  (376, ... 0x0, ) == 0x0
 04553   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04554   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1237140, ... ) }, 1237140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04555   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1237140, ... ) }, 1237140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04556   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1237140, ... ) }, 1237140, ... ) == 0x0
 04557   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 380, {status=0x0, info=1}, ) }, 5, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 04558   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 380, ... 384, ) == 0x0
 04559   476   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04560   476   NtClose  (380, ... ) == 0x0
 04561   476   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 04562   476   NtClose  (384, ... ) == 0x0
 04563   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04564   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1236336, ... ) }, 1236336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04565   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1236336, ... ) }, 1236336, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04566   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1236336, ... ) }, 1236336, ... ) == 0x0
 04567   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 384, {status=0x0, info=1}, ) }, 5, 96, ... 384, {status=0x0, info=1}, ) == 0x0
 04568   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 384, ... 380, ) == 0x0
 04569   476   NtQuerySection  (380, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04570   476   NtClose  (384, ... ) == 0x0
 04571   476   NtMapViewOfSection  (380, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 04572   476   NtClose  (380, ... ) == 0x0
 04573   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04574   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1235532, ... ) }, 1235532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04575   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1235532, ... ) }, 1235532, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04576   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1235532, ... ) }, 1235532, ... ) == 0x0
 04577   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 380, {status=0x0, info=1}, ) }, 5, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 04578   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 380, ... 384, ) == 0x0
 04579   476   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04580   476   NtClose  (380, ... ) == 0x0
 04581   476   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 04582   476   NtClose  (384, ... ) == 0x0
 04583   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 04584   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 04585   476   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 384, ) }, ... 384, ) == 0x0
 04586   476   NtQueryValueKey  (384,  (384, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (384, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 04587   476   NtQueryValueKey  (384,  (384, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (384, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 04588   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 380, ) == 0x0
 04589   476   NtOpenKey  (0x2000000, {24, 384, 0x40, 0, 0,  (0x2000000, {24, 384, 0x40, 0, 0, "Protocol_Catalog9"}, ... 388, ) }, ... 388, ) == 0x0
 04590   476   NtQueryValueKey  (388,  (388, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 04591   476   NtNotifyChangeKey  (388, 380, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 04592   476   NtQueryValueKey  (388,  (388, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 04593   476   NtOpenKey  (0x2000000, {24, 388, 0x40, 0, 0,  (0x2000000, {24, 388, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04594   476   NtQueryValueKey  (388,  (388, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 04595   476   NtQueryValueKey  (388,  (388, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (388, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 04596   476   NtOpenKey  (0x2000000, {24, 388, 0x40, 0, 0,  (0x2000000, {24, 388, 0x40, 0, 0, "Catalog_Entries"}, ... 392, ) }, ... 392, ) == 0x0
 04597   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000001"}, ... 396, ) }, ... 396, ) == 0x0
 04598   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04599   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04600   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\371\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\372\21\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\373\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\374\21\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04601   476   NtClose  (396, ... ) == 0x0
 04602   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000002"}, ... 396, ) }, ... 396, ) == 0x0
 04603   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04604   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04605   476   NtAllocateVirtualMemory  (-1, 1449984, 0, 4096, 4096, 4, ... 1449984, 4096, ) == 0x0
 04606   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\377\21\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\0\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\1\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04607   476   NtClose  (396, ... ) == 0x0
 04608   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000003"}, ... 396, ) }, ... 396, ) == 0x0
 04609   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04610   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04611   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\4\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\5\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\6\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04612   476   NtClose  (396, ... ) == 0x0
 04613   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000004"}, ... 396, ) }, ... 396, ) == 0x0
 04614   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04615   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04616   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\11\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\12\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\13\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04617   476   NtClose  (396, ... ) == 0x0
 04618   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000005"}, ... 396, ) }, ... 396, ) == 0x0
 04619   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04620   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04621   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\16\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\17\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\20\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\21\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04622   476   NtClose  (396, ... ) == 0x0
 04623   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000006"}, ... 396, ) }, ... 396, ) == 0x0
 04624   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04625   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04626   476   NtAllocateVirtualMemory  (-1, 1454080, 0, 4096, 4096, 4, ... 1454080, 4096, ) == 0x0
 04627   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\24\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\25\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\26\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04628   476   NtClose  (396, ... ) == 0x0
 04629   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000007"}, ... 396, ) }, ... 396, ) == 0x0
 04630   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04631   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04632   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\31\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\32\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0\33\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\34\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04633   476   NtClose  (396, ... ) == 0x0
 04634   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000008"}, ... 396, ) }, ... 396, ) == 0x0
 04635   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04636   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04637   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0\36\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\37\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0 \22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0!\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04638   476   NtClose  (396, ... ) == 0x0
 04639   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000009"}, ... 396, ) }, ... 396, ) == 0x0
 04640   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04641   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04642   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0#\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0$\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0%\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0&\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04643   476   NtClose  (396, ... ) == 0x0
 04644   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000010"}, ... 396, ) }, ... 396, ) == 0x0
 04645   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04646   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04647   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0 (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0(\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\210\1\0\0d\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\342\25\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0)\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\214\1\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\25\0\2\0\0\0\220\0\0\0*\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0+\22\0\0\320\1\0\0\334\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\214\1\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 04648   476   NtClose  (396, ... ) == 0x0
 04649   476   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "000000000011"}, ... 396, ) }, ... 396, ) == 0x0
 04650   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04651   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 04652   476   NtAllocateVirtualMemory  (-1, 1458176, 0, 4096, 4096, 4, ... 1458176, 4096, ) == 0x0
 04653   476   NtQueryValueKey  (396,  (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0.\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0.\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\210\1\0\0/\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\22\0\0\320\1\0\0\334\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\22\0\0\320\1\0\0\334\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\01\22\0\0\320\1\0\0\334\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\01\22\0\0\320\1\0\0\334\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\210\1\0\02\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\200\1\0\0\200\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0H\232\25\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (396, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0.\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\214\1\0\0.\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0/\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\210\1\0\0/\22\0\0\320\1\0\0\334\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\22\0\0\320\1\0\0\334\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0|\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\22\0\0\320\1\0\0\334\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\01\22\0\0\320\1\0\0\334\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\01\22\0\0\320\1\0\0\334\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\210\1\0\02\22\0\0\320\1\0\0\334\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\200\1\0\0\200\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0H\232\25\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 04654   476   NtClose  (396, ... ) == 0x0
 04655   476   NtClose  (392, ... ) == 0x0
 04656   476   NtWaitForSingleObject  (380, 0, {0, 0}, ... ) == 0x102
 04657   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 392, ) == 0x0
 04658   476   NtOpenKey  (0x2000000, {24, 384, 0x40, 0, 0,  (0x2000000, {24, 384, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 396, ) }, ... 396, ) == 0x0
 04659   476   NtQueryValueKey  (396,  (396, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 04660   476   NtNotifyChangeKey  (396, 392, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 04661   476   NtQueryValueKey  (396,  (396, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 04662   476   NtOpenKey  (0x2000000, {24, 396, 0x40, 0, 0,  (0x2000000, {24, 396, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04663   476   NtQueryValueKey  (396,  (396, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (396, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 04664   476   NtOpenKey  (0x2000000, {24, 396, 0x40, 0, 0,  (0x2000000, {24, 396, 0x40, 0, 0, "Catalog_Entries"}, ... 400, ) }, ... 400, ) == 0x0
 04665   476   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "000000000001"}, ... 404, ) }, ... 404, ) == 0x0
 04666   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04667   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04668   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 04669   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 04670   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 04671   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 04672   476   NtQueryValueKey  (404,  (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 04673   476   NtQueryValueKey  (404,  (404, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04674   476   NtQueryValueKey  (404,  (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 04675   476   NtQueryValueKey  (404,  (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04676   476   NtQueryValueKey  (404,  (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04677   476   NtQueryValueKey  (404,  (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04678   476   NtClose  (404, ... ) == 0x0
 04679   476   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "000000000002"}, ... 404, ) }, ... 404, ) == 0x0
 04680   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 04681   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 04682   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 04683   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 04684   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 04685   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 04686   476   NtQueryValueKey  (404,  (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 04687   476   NtQueryValueKey  (404,  (404, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04688   476   NtQueryValueKey  (404,  (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 04689   476   NtQueryValueKey  (404,  (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04690   476   NtQueryValueKey  (404,  (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04691   476   NtQueryValueKey  (404,  (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04692   476   NtClose  (404, ... ) == 0x0
 04693   476   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "000000000003"}, ... 404, ) }, ... 404, ) == 0x0
 04694   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04695   476   NtQueryValueKey  (404,  (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 04696   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 04697   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 04698   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 04699   476   NtQueryValueKey  (404,  (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 04700   476   NtQueryValueKey  (404,  (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (404, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 04701   476   NtQueryValueKey  (404,  (404, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04702   476   NtQueryValueKey  (404,  (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 04703   476   NtQueryValueKey  (404,  (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04704   476   NtQueryValueKey  (404,  (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04705   476   NtQueryValueKey  (404,  (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04706   476   NtClose  (404, ... ) == 0x0
 04707   476   NtClose  (400, ... ) == 0x0
 04708   476   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 04709   476   NtClose  (384, ... ) == 0x0
 04710   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 04711   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 04712   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 384, ) }, ... 384, ) == 0x0
 04713   476   NtQueryValueKey  (384,  (384, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04714   476   NtClose  (384, ... ) == 0x0
 04715   476   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 384, ) == 0x0
 04716   476   NtClearEvent  (352, ... ) == 0x0
 04717   476   NtSetEvent  (352, ... 0x0, ) == 0x0
 04718   476   NtWaitForSingleObject  (324, 0, 0x0, ... ) == 0x0
 04719   476   NtQueryInformationFile  (320, 1238832, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04720   476   NtReleaseMutant  (324, ... 0x0, ) == 0x0
 04721   476   NtAllocateVirtualMemory  (-1, 1462272, 0, 4096, 4096, 4, ... 1462272, 4096, ) == 0x0
 04722   476   NtWaitForSingleObject  (392, 0, {0, 0}, ... ) == 0x102
 04723   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1235952, ... ) }, 1235952, ... ) == 0x0
 04724   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 400, {status=0x0, info=1}, ) }, 5, 96, ... 400, {status=0x0, info=1}, ) == 0x0
 04725   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 400, ... 404, ) == 0x0
 04726   476   NtClose  (400, ... ) == 0x0
 04727   476   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb50000), 0x0, 229376, ) == 0x0
 04728   476   NtClose  (404, ... ) == 0x0
 04729   476   NtUnmapViewOfSection  (-1, 0xb50000, ... ) == 0x0
 04730   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1236268, ... ) }, 1236268, ... ) == 0x0
 04731   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 04732   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 400, ) == 0x0
 04733   476   NtQuerySection  (400, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04734   476   NtClose  (404, ... ) == 0x0
 04735   476   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 04736   476   NtClose  (400, ... ) == 0x0
 04737   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 04738   476   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 04739   476   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 04740   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04741   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1236068, ... ) }, 1236068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04742   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 1236068, ... ) }, 1236068, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04743   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1236068, ... ) }, 1236068, ... ) == 0x0
 04744   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 04745   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 404, ... 408, ) == 0x0
 04746   476   NtQuerySection  (408, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04747   476   NtClose  (404, ... ) == 0x0
 04748   476   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 04749   476   NtClose  (408, ... ) == 0x0
 04750   476   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 04751   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04752   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04753   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04754   476   NtQueryValueKey  (404,  (404, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04755   476   NtQueryValueKey  (408,  (408, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04756   476   NtQueryValueKey  (404,  (404, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04757   476   NtQueryValueKey  (408,  (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04758   476   NtQueryValueKey  (404,  (404, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04759   476   NtQueryValueKey  (408,  (408, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04760   476   NtQueryValueKey  (404,  (404, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04761   476   NtQueryValueKey  (408,  (408, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04762   476   NtQueryValueKey  (404,  (404, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04763   476   NtQueryValueKey  (404,  (404, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04764   476   NtQueryValueKey  (404,  (404, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04765   476   NtQueryValueKey  (404,  (404, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04766   476   NtQueryValueKey  (404,  (404, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04767   476   NtQueryValueKey  (404,  (404, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04768   476   NtQueryValueKey  (404,  (404, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04769   476   NtQueryValueKey  (408,  (408, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04770   476   NtQueryValueKey  (404,  (404, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04771   476   NtQueryValueKey  (404,  (404, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04772   476   NtQueryValueKey  (408,  (408, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04773   476   NtQueryValueKey  (404,  (404, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04774   476   NtQueryValueKey  (408,  (408, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04775   476   NtQueryValueKey  (404,  (404, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04776   476   NtQueryValueKey  (408,  (408, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04777   476   NtQueryValueKey  (404,  (404, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04778   476   NtQueryValueKey  (408,  (408, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04779   476   NtQueryValueKey  (404,  (404, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04780   476   NtQueryValueKey  (408,  (408, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04781   476   NtQueryValueKey  (404,  (404, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04782   476   NtQueryValueKey  (408,  (408, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04783   476   NtQueryValueKey  (404,  (404, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04784   476   NtQueryValueKey  (408,  (408, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04785   476   NtQueryValueKey  (404,  (404, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04786   476   NtQueryValueKey  (408,  (408, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04787   476   NtQueryValueKey  (404,  (404, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04788   476   NtQueryValueKey  (404,  (404, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04789   476   NtQueryValueKey  (404,  (404, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04790   476   NtQueryValueKey  (404,  (404, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04791   476   NtQueryValueKey  (404,  (404, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04792   476   NtQueryValueKey  (404,  (404, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04793   476   NtQueryValueKey  (404,  (404, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04794   476   NtQueryValueKey  (404,  (404, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04795   476   NtQueryValueKey  (404,  (404, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04796   476   NtQueryValueKey  (404,  (404, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04797   476   NtQueryValueKey  (404,  (404, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04798   476   NtQueryValueKey  (404,  (404, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04799   476   NtQueryValueKey  (404,  (404, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04800   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 412, ) }, ... 412, ) == 0x0
 04801   476   NtQueryValueKey  (412,  (412, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (412, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 04802   476   NtClose  (412, ... ) == 0x0
 04803   476   NtClose  (408, ... ) == 0x0
 04804   476   NtClose  (404, ... ) == 0x0
 04805   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04806   476   NtQueryValueKey  (404,  (404, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04807   476   NtQueryValueKey  (404,  (404, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04808   476   NtQueryValueKey  (404,  (404, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04809   476   NtClose  (404, ... ) == 0x0
 04810   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 04811   476   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236544, 112, ... 408, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236544, 112, ... 408, 0x0, 0x0, 0x0, 112, ) == 0x0
 04812   476   NtRequestWaitReplyPort  (408, {128, 152, new_msg, 0, 121876, 1310720, 1236308, 2012750850}  (408, {128, 152, new_msg, 0, 121876, 1310720, 1236308, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0F\25\0P\\26\0\0\0\0\0H\\26\0p\\26\0\230\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\5\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1591, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0F\25\0P\\26\0\0\0\0\0H\\26\0p\\26\0\230\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\5\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 476, 1591, 0}  (408, {128, 152, new_msg, 0, 121876, 1310720, 1236308, 2012750850} "\0\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0F\25\0P\\26\0\0\0\0\0H\\26\0p\\26\0\230\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\5\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1591, 0} "\7\344\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0F\25\0P\\26\0\0\0\0\0H\\26\0p\\26\0\230\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\5\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 04813   476   NtRequestWaitReplyPort  (408, {64, 88, new_msg, 0, 32, 1, 8, 1310720}  (408, {64, 88, new_msg, 0, 32, 1, 8, 1310720} "\1\0\0\0A\2\10\0\230\320\377k\22\241\206\2303F\303\370~4Z\377\377\377\377\4]\210\212\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0d\0o\0c\0k\0P\0r\0i\0v\0" ... {52, 76, reply, 0, 464, 476, 1592, 0} "\2\353\361\371\1\0N\200\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\214\353\361\371\231\254N\200h\\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 476, 1592, 0}  (408, {64, 88, new_msg, 0, 32, 1, 8, 1310720} "\1\0\0\0A\2\10\0\230\320\377k\22\241\206\2303F\303\370~4Z\377\377\377\377\4]\210\212\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0d\0o\0c\0k\0P\0r\0i\0v\0" ... {52, 76, reply, 0, 464, 476, 1592, 0} "\2\353\361\371\1\0N\200\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\214\353\361\371\231\254N\200h\\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04814   476   NtClose  (404, ... ) == 0x0
 04815   476   NtClose  (408, ... ) == 0x0
 04816   476   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 04817   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04818   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04819   476   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04820   476   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04821   476   NtClose  (408, ... ) == 0x0
 04822   476   NtClose  (404, ... ) == 0x0
 04823   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 04824   476   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236408, 112, ... 408, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236408, 112, ... 408, 0x0, 0x0, 0x0, 112, ) == 0x0
 04825   476   NtRequestWaitReplyPort  (408, {128, 152, new_msg, 0, 121740, 1310720, 1236172, 2012750850}  (408, {128, 152, new_msg, 0, 121740, 1310720, 1236172, 2012750850} "\0\343\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0F\25\0x\\26\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\270\336\22\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1595, 0} "\7\343\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0F\25\0x\\26\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\270\336\22\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 476, 1595, 0}  (408, {128, 152, new_msg, 0, 121740, 1310720, 1236172, 2012750850} "\0\343\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0F\25\0x\\26\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\270\336\22\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1595, 0} "\7\343\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0F\25\0x\\26\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0\270\336\22\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 04826   476   NtRequestWaitReplyPort  (408, {44, 68, new_msg, 0, 464, 476, 1592, 0}  (408, {44, 68, new_msg, 0, 464, 476, 1592, 0} "\1\353\0\0A\2\4\0\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\377\377\377\377\231\254N\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 464, 476, 1596, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 464, 476, 1596, 0}  (408, {44, 68, new_msg, 0, 464, 476, 1592, 0} "\1\353\0\0A\2\4\0\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\377\377\377\377\231\254N\200\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 464, 476, 1596, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 04827   476   NtRequestWaitReplyPort  (408, {64, 88, new_msg, 56, 0, 1, 0, 0}  (408, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\337\22\0@\0\314w\230E\25\0\200\337\22\0\350\337\22\0\0\267\362v\350\337\22\0\230E\25\0\1\0\0\0(\2\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 464, 476, 1597, 0} "\10\337\22\0@\0\314w\230E\25\0\200\337\22\0\350\337\22\0\0\267\362v\350\337\22\0\230E\25\0\1\0\0\0(\2\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 464, 476, 1597, 0}  (408, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\337\22\0@\0\314w\230E\25\0\200\337\22\0\350\337\22\0\0\267\362v\350\337\22\0\230E\25\0\1\0\0\0(\2\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 464, 476, 1597, 0} "\10\337\22\0@\0\314w\230E\25\0\200\337\22\0\350\337\22\0\0\267\362v\350\337\22\0\230E\25\0\1\0\0\0(\2\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 04828   476   NtClose  (404, ... ) == 0x0
 04829   476   NtClose  (408, ... ) == 0x0
 04830   476   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 04831   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04832   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04833   476   NtQueryValueKey  (408,  (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04834   476   NtQueryValueKey  (408,  (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04835   476   NtClose  (408, ... ) == 0x0
 04836   476   NtClose  (404, ... ) == 0x0
 04837   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04838   476   NtQueryValueKey  (404,  (404, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04839   476   NtClose  (404, ... ) == 0x0
 04840   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1235952, ... ) }, 1235952, ... ) == 0x0
 04841   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 404, {status=0x0, info=1}, ) }, 5, 96, ... 404, {status=0x0, info=1}, ) == 0x0
 04842   476   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 404, ... 408, ) == 0x0
 04843   476   NtClose  (404, ... ) == 0x0
 04844   476   NtMapViewOfSection  (408, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xb50000), 0x0, 16384, ) == 0x0
 04845   476   NtClose  (408, ... ) == 0x0
 04846   476   NtUnmapViewOfSection  (-1, 0xb50000, ... ) == 0x0
 04847   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1236268, ... ) }, 1236268, ... ) == 0x0
 04848   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 04849   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 404, ) == 0x0
 04850   476   NtQuerySection  (404, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04851   476   NtClose  (408, ... ) == 0x0
 04852   476   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 04853   476   NtClose  (404, ... ) == 0x0
 04854   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 404, ) }, ... 404, ) == 0x0
 04855   476   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 04856   476   NtClose  (404, ... ) == 0x0
 04857   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 04858   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 408, ) }, ... 408, ) == 0x0
 04859   476   NtQueryValueKey  (408,  (408, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04860   476   NtClose  (408, ... ) == 0x0
 04861   476   NtAllocateVirtualMemory  (-1, 1466368, 0, 4096, 4096, 4, ... 1466368, 4096, ) == 0x0
 04862   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1235952, ... ) }, 1235952, ... ) == 0x0
 04863   476   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 04864   476   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 11862016, 65536, ) == 0x0
 04865   476   NtAllocateVirtualMemory  (-1, 11862016, 0, 4096, 4096, 4, ... 11862016, 4096, ) == 0x0
 04866   476   NtAllocateVirtualMemory  (-1, 11866112, 0, 8192, 4096, 4, ... 11866112, 8192, ) == 0x0
 04867   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 04868   476   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1236240, 112, ... 412, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1236240, 112, ... 412, 0x0, 0x0, 0x0, 112, ) == 0x0
 04869   476   NtRequestWaitReplyPort  (412, {128, 152, new_msg, 0, 121572, 1310720, 1236004, 2012750850}  (412, {128, 152, new_msg, 0, 121572, 1310720, 1236004, 2012750850} "\0\342\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\20a\26\08a\26\0\250b\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\253\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1600, 0} "\7\342\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\20a\26\08a\26\0\250b\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\253\1\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 476, 1600, 0}  (412, {128, 152, new_msg, 0, 121572, 1310720, 1236004, 2012750850} "\0\342\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\310\\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\20a\26\08a\26\0\250b\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\253\1\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 476, 1600, 0} "\7\342\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\20a\26\08a\26\0\250b\26\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\253\1\0\0\5\0\0\0" )  ) == 0x0
 04870   476   NtRequestWaitReplyPort  (412, {64, 88, new_msg, 0, 464, 476, 1596, 0}  (412, {64, 88, new_msg, 0, 464, 476, 1596, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0c\0k\0P\0r\0i\0v\0" ... {52, 76, reply, 0, 464, 476, 1601, 0} "\2\353\361\371\1\0N\200\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\214\353\361\371\231\254N\200p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 476, 1601, 0}  (412, {64, 88, new_msg, 0, 464, 476, 1596, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0c\0k\0P\0r\0i\0v\0" ... {52, 76, reply, 0, 464, 476, 1601, 0} "\2\353\361\371\1\0N\200\344\201\30\201\274\212T\200\274\212T\200H\201\30\201\214\353\361\371\231\254N\200p^\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04871   476   NtClose  (408, ... ) == 0x0
 04872   476   NtClose  (412, ... ) == 0x0
 04873   476   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 412, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 412, 2, ) , 0, ... 412, 2, ) == 0x0
 04874   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 408, ) }, ... 408, ) == 0x0
 04875   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04876   476   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04877   476   NtQueryValueKey  (412,  (412, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04878   476   NtClose  (412, ... ) == 0x0
 04879   476   NtClose  (408, ... ) == 0x0
 04880   476   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 04881   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 412, ) }, ... 412, ) == 0x0
 04882   476   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04883   476   NtQueryValueKey  (408,  (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04884   476   NtQueryValueKey  (408,  (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04885   476   NtClose  (408, ... ) == 0x0
 04886   476   NtClose  (412, ... ) == 0x0
 04887   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04888   476   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 412, ) }, ... 412, ) == 0x0
 04889   476   NtQueryValueKey  (412,  (412, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04890   476   NtQueryValueKey  (412,  (412, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (412, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04891   476   NtClose  (412, ... ) == 0x0
 04892   476   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 412, ) }, ... 412, ) == 0x0
 04893   476   NtWaitForSingleObject  (412, 0, {-1800000000, -1}, ... ) == 0x0
 04894   476   NtClose  (412, ... ) == 0x0
 04895   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04896   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 412, ) == 0x0
 04897   476   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04898   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04899   476   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237112,  (0xc0100080, {24, 0, 0x40, 0, 1237112, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 408, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 408, {status=0x0, info=1}, ) == 0x0
 04900   476   NtSetInformationFile  (408, 1237168, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04901   476   NtSetInformationFile  (408, 1237160, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04902   476   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04903   476   NtWriteFile  (408, 261, 0, 0,  (408, 261, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04904   476   NtReadFile  (408, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (408, 261, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04905   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\375 \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04906   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04907   476   NtWaitForSingleObject  (261, 0, 0x0, ... ) == 0x0
 04908   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 04909   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 04910   476   NtWaitForSingleObject  (261, 0, 0x0, ... ) == 0x0
 04911   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 04912   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0D\351\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 04913   476   NtFsControlFile  (408, 261, 0x0, 0x0, 0x11c017,  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (408, 261, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\305a\304zjE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 04914   476   NtClose  (412, ... ) == 0x0
 04915   476   NtClose  (408, ... ) == 0x0
 04916   476   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04917   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 1237372, ... ) }, 1237372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04918   476   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 1237372, ... ) }, 1237372, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04919   476   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 1237372, ... ) }, 1237372, ... ) == 0x0
 04920   476   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 408, {status=0x0, info=1}, ) }, 5, 96, ... 408, {status=0x0, info=1}, ) == 0x0
 04921   476   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 408, ... 412, ) == 0x0
 04922   476   NtQuerySection  (412, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 04923   476   NtClose  (408, ... ) == 0x0
 04924   476   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 04925   476   NtClose  (412, ... ) == 0x0
 04926   476   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 412, ) }, ... 412, ) == 0x0
 04927   476   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xb60000), {0, 0}, 4096, ) == 0x0
 04928   476   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 04929   476   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 1237836, 112, ... 416, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237836, 112, ... 416, 0x0, 0x0, 0x0, 112, ) == 0x0
NtAccessCheck(>)	1	NtQueryInstallUILanguage(>)	2	NtUserQueryWindow(>)	10	NtQueryDirectoryFile(>)	46
NtAddAtom(>)	1	NtQueryVirtualMemory(>)	2	NtWriteFile(>)	10	NtUserFindExistingCursorIcon(>)	48
NtCallbackReturn(>)	1	NtRegisterThreadTerminatePort(>)	2	NtUserSystemParametersInfo(>)	11	NtCreateSection(>)	49
NtCreateThread(>)	1	NtSetEvent(>)	2	NtDuplicateObject(>)	12	NtUserMessageCall(>)	50
NtEnumerateValueKey(>)	1	NtTestAlert(>)	2	NtEnumerateKey(>)	12	NtQueryDefaultLocale(>)	51
NtGdiCreateBitmap(>)	1	NtUserGetProcessWindowStation(>)	2	NtUserGetObjectInformation(>)	12	NtDeviceIoControlFile(>)	55
NtGdiGetWidthTable(>)	1	NtUserGetSystemMenu(>)	2	NtUserSetWindowPos(>)	12	NtOpenProcessToken(>)	56
NtGdiInit(>)	1	NtGdiHfontCreate(>)	3	NtUserGetAtomName(>)	13	NtCreateKey(>)	59
NtGdiIntersectClipRect(>)	1	NtUserInvalidateRect(>)	3	NtUserRemoveProp(>)	13	NtOpenProcessTokenEx(>)	60
NtGdiQueryFontAssocInfo(>)	1	NtUserRegisterWindowMessage(>)	3	NtUserSetWindowFNID(>)	13	NtOpenThreadTokenEx(>)	60
NtGdiSelectBitmap(>)	1	NtUserShowWindow(>)	3	NtFlushInstructionCache(>)	15	NtUserRegisterClassExWOW(>)	64
NtOpenKeyedEvent(>)	1	NtCreateMutant(>)	4	NtSetInformationThread(>)	15	NtLockFile(>)	69
NtQueryEvent(>)	1	NtGdiCreateCompatibleDC(>)	4	NtNotifyChangeKey(>)	16	NtReleaseSemaphore(>)	69
NtQueryInformationThread(>)	1	NtUserCallHwndParam(>)	4	NtUserSBGetParms(>)	17	NtUnlockFile(>)	69
NtQueryObject(>)	1	NtUserMoveWindow(>)	4	NtQuerySection(>)	18	NtFreeVirtualMemory(>)	70
NtQuerySystemTime(>)	1	NtCreateSemaphore(>)	5	NtQueryVolumeInformationFile(>)	18	NtQueryKey(>)	77
NtResumeThread(>)	1	NtGdiGetStockObject(>)	5	NtFsControlFile(>)	20	NtReadFile(>)	80
NtSecureConnectPort(>)	1	NtOpenEvent(>)	5	NtUserSetProp(>)	20	NtMapViewOfSection(>)	81
NtUserBuildHwndList(>)	1	NtSetInformationObject(>)	5	NtQueryDebugFilterState(>)	22	NtWaitForSingleObject(>)	86
NtUserGetGUIThreadInfo(>)	1	NtConnectPort(>)	6	NtUserSetWindowLong(>)	23	NtQuerySystemInformation(>)	94
NtUserPostMessage(>)	1	NtOpenSymbolicLinkObject(>)	6	NtRequestWaitReplyPort(>)	28	NtQueryInformationFile(>)	99
NtUserSetParent(>)	1	NtQuerySymbolicLinkObject(>)	6	NtUserCreateWindowEx(>)	28	NtQueryInformationToken(>)	114
NtAdjustPrivilegesToken(>)	2	NtUserGetClassName(>)	6	NtUserGetWindowDC(>)	28	NtSetInformationProcess(>)	150
NtClearEvent(>)	2	NtUserGetScrollBarInfo(>)	7	NtProtectVirtualMemory(>)	29	NtQueryAttributesFile(>)	193
NtContinue(>)	2	NtUserSetScrollInfo(>)	7	NtOpenThreadToken(>)	30	NtQueryInformationProcess(>)	197
NtCreateIoCompletion(>)	2	NtOpenMutant(>)	8	NtCreateFile(>)	31	NtAllocateVirtualMemory(>)	209
NtGdiCreatePatternBrushInternal(>)	2	NtReleaseMutant(>)	9	NtUserGetClassInfo(>)	37	NtOpenFile(>)	211
NtGdiCreateSolidBrush(>)	2	NtUserCallNoParam(>)	9	NtUserCallOneParam(>)	38	NtOpenKey(>)	410
NtGdiDeleteObjectApp(>)	2	NtUserThunkedMenuItemInfo(>)	9	NtUnmapViewOfSection(>)	39	NtQueryValueKey(>)	415
NtGdiGetTextCharsetInfo(>)	2	NtOpenProcess(>)	10	NtSetInformationFile(>)	40	NtClose(>)	729
NtGdiGetTextFaceW(>)	2	NtQueryDefaultUILanguage(>)	10	NtCreateEvent(>)	43
NtGdiGetTextMetricsW(>)	2	NtUserGetDC(>)	10	NtSetValueKey(>)	43
NtOpenDirectoryObject(>)	2