Summary:


NtAddAtom(>)  1 
NtCreateSemaphore(>)  2 
NtUserBuildHwndList(>)  4 
NtReleaseSemaphore(>)  18 

NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtWriteVirtualMemory(>)  4 
NtSetInformationThread(>)  19 

NtConnectPort(>)  1 
NtGdiHfontCreate(>)  2 
NtGdiGetStockObject(>)  5 
NtCreateFile(>)  20 

NtContinue(>)  1 
NtOpenDirectoryObject(>)  2 
NtReadFile(>)  5 
NtCreateSection(>)  20 

NtCreateProcessEx(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtWaitForSingleObject(>)  20 

NtCreateThread(>)  1 
NtQueryInstallUILanguage(>)  2 
NtWriteFile(>)  6 
NtQueryInformationFile(>)  22 

NtDelayExecution(>)  1 
NtQueryVirtualMemory(>)  2 
NtOpenSymbolicLinkObject(>)  7 
NtOpenSection(>)  26 

NtDuplicateToken(>)  1 
NtReadVirtualMemory(>)  2 
NtQuerySymbolicLinkObject(>)  7 
NtProtectVirtualMemory(>)  27 

NtGdiCreateBitmap(>)  1 
NtReleaseMutant(>)  2 
NtUserCallNoParam(>)  7 
NtQueryKey(>)  27 

NtGdiCreatePatternBrushInternal(>)  1 
NtTerminateProcess(>)  2 
NtOpenProcessToken(>)  8 
NtQueryInformationProcess(>)  30 

NtGdiInit(>)  1 
NtUserCloseDesktop(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtMapViewOfSection(>)  40 

NtGdiQueryFontAssocInfo(>)  1 
NtUserCreateWindowEx(>)  2 
NtQuerySection(>)  9 
NtQueryAttributesFile(>)  40 

NtGdiSelectBitmap(>)  1 
NtUserDestroyWindow(>)  2 
NtQueryVolumeInformationFile(>)  10 
NtAllocateVirtualMemory(>)  41 

NtOpenKeyedEvent(>)  1 
NtUserMessageCall(>)  2 
NtSetInformationProcess(>)  10 
NtOpenProcessTokenEx(>)  43 

NtOpenProcess(>)  1 
NtUserWaitForInputIdle(>)  2 
NtUserGetWindowDC(>)  10 
NtOpenThreadTokenEx(>)  43 

NtQueryInformationJobObject(>)  1 
NtAdjustPrivilegesToken(>)  3 
NtRequestWaitReplyPort(>)  11 
NtUserUnregisterClass(>)  46 

NtQueryObject(>)  1 
NtDuplicateObject(>)  3 
NtUserCallOneParam(>)  11 
NtUserFindExistingCursorIcon(>)  48 

NtQuerySystemTime(>)  1 
NtFreeVirtualMemory(>)  3 
NtUserSystemParametersInfo(>)  11 
NtQueryInformationToken(>)  49 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtFlushInstructionCache(>)  13 
NtDeviceIoControlFile(>)  55 

NtResumeThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtFsControlFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  3 
NtQueryDirectoryFile(>)  13 
NtOpenFile(>)  66 

NtTestAlert(>)  1 
NtSetEvent(>)  3 
NtEnumerateValueKey(>)  14 
NtQuerySystemInformation(>)  77 

NtUserBuildNameList(>)  1 
NtUserGetObjectInformation(>)  3 
NtCreateEvent(>)  15 
NtUserGetClassInfo(>)  82 

NtUserGetAtomName(>)  1 
NtUserOpenDesktop(>)  3 
NtQueryDefaultLocale(>)  15 
NtUserQueryWindow(>)  112 

NtUserGetDC(>)  1 
NtUserRegisterWindowMessage(>)  3 
NtSetValueKey(>)  15 
NtQueryValueKey(>)  123 

NtUserGetGUIThreadInfo(>)  1 
NtUserRemoveProp(>)  3 
NtOpenThreadToken(>)  16 
NtOpenKey(>)  238 

NtUserGetThreadDesktop(>)  1 
NtWaitForMultipleObjects(>)  3 
NtQueryDebugFilterState(>)  16 
NtClose(>)  323 

NtUserSetProp(>)  1 
NtCreateMutant(>)  4 
NtSetInformationFile(>)  16 

NtAccessCheck(>)  2 
NtEnumerateKey(>)  4 
NtCreateKey(>)  17 

NtCreateIoCompletion(>)  2 

Trace:
 00001   472   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   472   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   472   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   472   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   472   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   472   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   472   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   472   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   472   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   472   NtClose  (12, ... ) == 0x0
 00014   472   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   472   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   472   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   472   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   472   NtClose  (16, ... ) == 0x0
 00021   472   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   472   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   472   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   472   NtClose  (16, ... ) == 0x0
 00026   472   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   472   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   472   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   472   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 472, 1502, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 472, 1502, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 464, 472, 1502, 0} "\20\311\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   472   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   472   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   472   NtClose  (16, ... ) == 0x0
 00036   472   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   472   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   472   NtClose  (28, ... ) == 0x0
 00041   472   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   472   NtClose  (28, ... ) == 0x0
 00045   472   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   472   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   472   NtClose  (28, ... ) == 0x0
 00049   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   472   NtClose  (28, ... ) == 0x0
 00052   472   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 472, 1503, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 464, 472, 1503, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 464, 472, 1503, 0} "\240B\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 128, ) == 0x0
 00057   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 128, ... (0x31428000), 16384, 4, ) == 0x0
 00058   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00059   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00061   472   NtClose  (28, ... ) == 0x0
 00062   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00064   472   NtClose  (28, ... ) == 0x0
 00065   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 64, ) == 0x0
 00066   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 64, ... (0x31428000), 16384, 4, ) == 0x0
 00067   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00068   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCRT.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00070   472   NtClose  (28, ... ) == 0x0
 00071   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 64, ) == 0x0
 00072   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 64, ... (0x31428000), 16384, 4, ) == 0x0
 00073   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00074   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00076   472   NtClose  (28, ... ) == 0x0
 00077   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00079   472   NtClose  (28, ... ) == 0x0
 00080   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 64, ) == 0x0
 00081   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 64, ... (0x31428000), 16384, 4, ) == 0x0
 00082   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00083   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00085   472   NtClose  (28, ... ) == 0x0
 00086   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00087   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00088   472   NtClose  (28, ... ) == 0x0
 00089   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00090   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00091   472   NtClose  (28, ... ) == 0x0
 00092   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00093   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00094   472   NtClose  (28, ... ) == 0x0
 00095   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00096   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00097   472   NtClose  (28, ... ) == 0x0
 00098   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 28, ) }, ... 28, ) == 0x0
 00099   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00100   472   NtClose  (28, ... ) == 0x0
 00101   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 64, ) == 0x0
 00102   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 64, ... (0x31428000), 16384, 4, ) == 0x0
 00103   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00104   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00105   472   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00106   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00109   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00110   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00111   472   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00112   472   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00113   472   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00114   472   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00115   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00116   472   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00117   472   NtClose  (40, ... ) == 0x0
 00118   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00119   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00120   472   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00121   472   NtClose  (40, ... ) == 0x0
 00122   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00123   472   NtClose  (36, ... ) == 0x0
 00124   472   NtClose  (28, ... ) == 0x0
 00125   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00126   472   NtClose  (32, ... ) == 0x0
 00127   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00131   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   472   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   472   NtClose  (32, ... ) == 0x0
 00135   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00136   472   NtClose  (28, ... ) == 0x0
 00137   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 4, ... (0x31428000), 16384, 64, ) == 0x0
 00138   472   NtProtectVirtualMemory  (-1, (0x31428000), 16384, 64, ... (0x31428000), 16384, 4, ) == 0x0
 00139   472   NtFlushInstructionCache  (-1, 826441728, 16384, ... ) == 0x0
 00140   472   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00141   472   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00142   472   NtClose  (28, ... ) == 0x0
 00143   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00144   472   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00145   472   NtClose  (28, ... ) == 0x0
 00146   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00147   472   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00148   472   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00149   472   NtClose  (28, ... ) == 0x0
 00150   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00151   472   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00152   472   NtClose  (28, ... ) == 0x0
 00153   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00154   472   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00155   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00156   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00157   472   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00158   472   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00159   472   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00160   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 32, ) }, ... 32, ) == 0x0
 00161   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00162   472   NtClose  (32, ... ) == 0x0
 00163   472   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00164   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00165   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 472, 1513, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 472, 1513, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\31\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 464, 472, 1513, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00166   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00167   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00168   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00169   472   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00170   472   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00171   472   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00172   472   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00173   472   NtClose  (-2147482032, ... ) == 0x0
 00174   472   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5373952, 4096, ) == 0x0
 00175   472   NtFreeVirtualMemory  (-1, (0x520000), 4096, 32768, ... (0x520000), 4096, ) == 0x0
 00176   472   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00177   472   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00178   472   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00179   472   NtClose  (-2147482032, ... ) == 0x0
 00180   472   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00181   472   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00182   472   NtClose  (-2147482032, ... ) == 0x0
 00183   472   NtQueryDefaultLocale  (0, -136246772, ... ) == 0x0
 00184   472   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00185   472   NtUserCallNoParam  (24, ... ) == 0x0
 00186   472   NtGdiCreateCompatibleDC  (0, ...
 00187   472   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5373952, 4096, ) == 0x0
 00186   472   NtGdiCreateCompatibleDC  ... ) == 0x13010312
 00188   472   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00189   472   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00190   472   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xf0503cd
 00191   472   NtGdiCreateSolidBrush  (0, 0, ...
 00192   472   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8585216, 4096, ) == 0x0
 00191   472   NtGdiCreateSolidBrush  ... ) == 0xe1003c9
 00193   472   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00194   472   NtGdiCreateCompatibleDC  (0, ... ) == 0x4201031a
 00195   472   NtGdiSelectBitmap  (1107362586, 251986893, ... ) == 0x185000f
 00196   472   NtUserGetThreadDesktop  (472, 0, ... ) == 0x2c
 00197   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00198   472   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00199   472   NtClose  (52, ... ) == 0x0
 00200   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00201   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810fc017
 00202   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00203   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810fc01c
 00204   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00205   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810fc01e
 00206   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00207   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810f8002
 00208   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00209   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810fc018
 00210   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00211   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810fc01a
 00212   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00213   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810fc01d
 00214   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00215   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810fc026
 00216   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00217   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810fc019
 00218   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00219   472   NtAllocateVirtualMemory  (-1, 5533696, 0, 4096, 4096, 32, ... 5533696, 4096, ) == 0x0
 00218   472   NtUserRegisterClassExWOW  ... ) == 0x810fc020
 00220   472   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810fc022
 00221   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810fc023
 00222   472   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810fc024
 00223   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810fc025
 00224   472   NtCallbackReturn  (0, 0, 0, ...
 00225   472   NtGdiInit  (... ) == 0x1
 00226   472   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00227   472   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00228   472   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00229   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   472   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00231   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00232   472   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   472   NtClose  (52, ... ) == 0x0
 00234   472   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00235   472   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00236   472   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00237   472   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00238   472   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00239   472   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00240   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00241   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00242   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00243   472   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00244   472   NtClose  (60, ... ) == 0x0
 00245   472   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00246   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00247   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00248   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00249   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00250   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00251   472   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00252   472   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   472   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00254   472   NtClose  (60, ... ) == 0x0
 00255   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00256   472   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00257   472   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   472   NtClose  (60, ... ) == 0x0
 00259   472   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00260   472   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00261   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262   472   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00264   472   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00265   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00266   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00267   472   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00268   472   NtClose  (60, ... ) == 0x0
 00269   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00270   472   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00271   472   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00272   472   NtQueryDefaultUILanguage  (1241768, ...
 00273   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00274   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00275   472   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00276   472   NtClose  (-2147482032, ... ) == 0x0
 00277   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00278   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   472   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00280   472   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00281   472   NtClose  (-2147482036, ... ) == 0x0
 00282   472   NtClose  (-2147482032, ... ) == 0x0
 00272   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00283   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00284   472   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00285   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00286   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00287   472   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 593920, ) == 0x0
 00288   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00289   472   NtQueryDefaultUILanguage  (2013024600, ...
 00290   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00291   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00292   472   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00293   472   NtClose  (-2147482032, ... ) == 0x0
 00294   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00295   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00296   472   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00297   472   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   472   NtClose  (-2147482036, ... ) == 0x0
 00299   472   NtClose  (-2147482032, ... ) == 0x0
 00289   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00300   472   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00301   472   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00302   472   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00303   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1514, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 472, 1514, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1514, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0P\275\213\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00305   472   NtClose  (68, ... ) == 0x0
 00306   472   NtClose  (72, ... ) == 0x0
 00307   472   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00308   472   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00309   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   472   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00312   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00314   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00316   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00317   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00318   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00319   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00320   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00321   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00322   472   NtClose  (68, ... ) == 0x0
 00323   472   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00324   472   NtClose  (76, ... ) == 0x0
 00325   472   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00326   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00327   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00328   472   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00329   472   NtClose  (76, ... ) == 0x0
 00330   472   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00331   472   NtClose  (68, ... ) == 0x0
 00332   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00333   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00334   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00335   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00336   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00337   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00338   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00339   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00340   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00341   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00342   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00343   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00344   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00345   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00346   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00347   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00348   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00349   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00350   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00351   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00352   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00353   472   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240120, ... ) , 42, 1240120, ... ) == 0x0
 00354   472   NtQueryDefaultUILanguage  (1238836, ...
 00355   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00356   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00357   472   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00358   472   NtClose  (-2147482032, ... ) == 0x0
 00359   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00360   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   472   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00362   472   NtQueryValueKey  (-2147482036,  (-2147482036, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00363   472   NtClose  (-2147482036, ... ) == 0x0
 00364   472   NtClose  (-2147482032, ... ) == 0x0
 00354   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00365   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00366   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237688, ... ) }, 1237688, ... ) == 0x0
 00367   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00368   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00369   472   NtClose  (68, ... ) == 0x0
 00370   472   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x840000), 0x0, 4096, ) == 0x0
 00371   472   NtClose  (76, ... ) == 0x0
 00372   472   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00373   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237328, ... ) }, 1237328, ... ) == 0x0
 00374   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238028,  (0x80100080, {24, 0, 0x40, 0, 1238028, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00375   472   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00376   472   NtClose  (76, ... ) == 0x0
 00377   472   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x840000), {0, 0}, 4096, ) == 0x0
 00378   472   NtClose  (68, ... ) == 0x0
 00379   472   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00380   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00381   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00382   472   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x840000), 0x0, 4096, ) == 0x0
 00383   472   NtQueryInformationFile  (68, 1237648, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00384   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1515, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 472, 1515, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1515, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 00386   472   NtClose  (68, ... ) == 0x0
 00387   472   NtClose  (76, ... ) == 0x0
 00388   472   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 00389   472   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 00390   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00391   472   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00392   472   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00393   472   NtUserGetDC  (0, ... ) == 0x1010050
 00394   472   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00395   472   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00396   472   NtUserSystemParametersInfo  (66, 12, 1240140, 0, ... ) == 0x1
 00397   472   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00398   472   NtAccessCheck  (1344424, 76, 0x1, 1239544, 1239488, 56, 1239572, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00399   472   NtClose  (76, ... ) == 0x0
 00400   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00401   472   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   472   NtClose  (76, ... ) == 0x0
 00403   472   NtUserSystemParametersInfo  (41, 500, 1239640, 0, ... ) == 0x1
 00404   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00405   472   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00407   472   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   472   NtClose  (68, ... ) == 0x0
 00409   472   NtClose  (76, ... ) == 0x0
 00410   472   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00411   472   NtUserSystemParametersInfo  (4130, 0, 1240164, 0, ... ) == 0x1
 00412   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00413   472   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00414   472   NtClose  (76, ... ) == 0x0
 00415   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00416   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc03b
 00417   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc03d
 00418   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00419   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc03f
 00420   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00421   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc041
 00422   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00423   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc043
 00424   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc045
 00425   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00426   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc047
 00427   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00428   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc049
 00429   472   NtUserGetClassInfo  (1905590272, 1240060, 1240012, 1240088, 0, ... ) == 0xc049
 00430   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00431   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc04b
 00432   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00433   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc04d
 00434   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00435   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc04f
 00436   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc051
 00437   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00438   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc053
 00439   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00440   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc055
 00441   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc057
 00442   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00443   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc059
 00444   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10013
 00445   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc05b
 00446   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00447   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc05d
 00448   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00449   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc05f
 00450   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00451   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc017
 00452   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00453   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc019
 00454   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10013
 00455   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ... ) == 0x810fc018
 00456   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00457   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc01a
 00458   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00459   472   NtUserRegisterClassExWOW  (1239896, 1239976, 1239960, 1239992, 0, 384, 0, ...
 00460   472   NtAllocateVirtualMemory  (-1, 5537792, 0, 4096, 4096, 32, ... 5537792, 4096, ) == 0x0
 00459   472   NtUserRegisterClassExWOW  ... ) == 0x810fc01c
 00461   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00462   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc01e
 00463   472   NtUserFindExistingCursorIcon  (1239444, 1239460, 1240028, ... ) == 0x10011
 00464   472   NtUserRegisterClassExWOW  (1239956, 1240036, 1240020, 1240052, 0, 384, 0, ... ) == 0x810fc01b
 00465   472   NtUserFindExistingCursorIcon  (1239440, 1239456, 1240024, ... ) == 0x10011
 00466   472   NtUserRegisterClassExWOW  (1239952, 1240032, 1240016, 1240048, 0, 384, 0, ... ) == 0x810fc068
 00467   472   NtUserFindExistingCursorIcon  (1239448, 1239464, 1240032, ... ) == 0x10011
 00468   472   NtUserRegisterClassExWOW  (1239900, 1239980, 1239964, 1239996, 0, 384, 0, ... ) == 0x810fc06a
 00469   472   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00470   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00471   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00472   472   NtTestAlert  (... ) == 0x0
 00473   472   NtContinue  (1244464, 1, ...
 00474   472   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x3142828f,}, 4, ... ) == 0x0
 00475   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00476   472   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00477   472   NtClose  (68, ... ) == 0x0
 00478   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 68, ) }, ... 68, ) == 0x0
 00479   472   NtQueryValueKey  (68,  (68, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00480   472   NtClose  (68, ... ) == 0x0
 00481   472   NtQueryDefaultUILanguage  (1241448, ...
 00482   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00483   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00484   472   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00485   472   NtClose  (-2147482032, ... ) == 0x0
 00486   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00487   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00488   472   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00489   472   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00490   472   NtClose  (-2147482044, ... ) == 0x0
 00491   472   NtClose  (-2147482032, ... ) == 0x0
 00481   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00492   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00493   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00494   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 80, ) == 0x0
 00495   472   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00496   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497   472   NtQueryDefaultLocale  (1, 1239484, ... ) == 0x0
 00498   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00499   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1518, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 472, 1518, 0}  (24, {128, 156, new_msg, 0, 1240340, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 472, 1518, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1D\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0\24\364\22\0\0\0\0\0" )  ) == 0x0
 00500   472   NtClose  (68, ... ) == 0x0
 00501   472   NtClose  (80, ... ) == 0x0
 00502   472   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00503   472   NtUnmapViewOfSection  (-1, 0x12f414, ... ) == STATUS_NOT_MAPPED_VIEW
 00504   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00505   472   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00506   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00507   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00508   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238568, ... ) }, 1238568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00509   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00510   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00511   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00512   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239160, ... ) }, 1239160, ... ) == 0x0
 00513   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 80, {status=0x0, info=1}, ) }, 3, 33, ... 80, {status=0x0, info=1}, ) == 0x0
 00514   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00515   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00516   472   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00517   472   NtClose  (68, ... ) == 0x0
 00518   472   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 68, ) == 0x0
 00519   472   NtQueryInformationProcess  (68, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00520   472   NtClose  (68, ... ) == 0x0
 00521   472   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00522   472   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00523   472   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00524   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 68, ) }, ... 68, ) == 0x0
 00525   472   NtQueryValueKey  (68,  (68, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526   472   NtClose  (68, ... ) == 0x0
 00527   472   NtUserSystemParametersInfo  (41, 500, 1241024, 0, ... ) == 0x1
 00528   472   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00529   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00530   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00531   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc03b
 00532   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00533   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc03d
 00534   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00535   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00536   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc03f
 00537   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00538   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00539   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc041
 00540   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00541   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00542   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc043
 00543   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00544   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc045
 00545   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00546   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00547   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc047
 00548   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00549   472   NtUserFindExistingCursorIcon  (1240812, 1240828, 1241396, ... ) == 0x10011
 00550   472   NtUserRegisterClassExWOW  (1241264, 1241344, 1241328, 1241360, 0, 384, 0, ... ) == 0x810fc049
 00551   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00552   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00553   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc04b
 00554   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00555   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00556   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc04d
 00557   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00558   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00559   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc04f
 00560   472   NtUserGetClassInfo  (1999896576, 1241436, 1241388, 1241464, 0, ... ) == 0x0
 00561   472   NtUserRegisterClassExWOW  (1241272, 1241352, 1241336, 1241368, 0, 384, 0, ... ) == 0x810fc051
 00562   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00563   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00564   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc053
 00565   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00566   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00567   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc055
 00568   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc057
 00569   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00570   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00571   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc059
 00572   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00573   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10013
 00574   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc05b
 00575   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00576   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00577   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc05d
 00578   472   NtUserGetClassInfo  (1999896576, 1241432, 1241384, 1241460, 0, ... ) == 0x0
 00579   472   NtUserFindExistingCursorIcon  (1240816, 1240832, 1241400, ... ) == 0x10011
 00580   472   NtUserRegisterClassExWOW  (1241268, 1241348, 1241332, 1241364, 0, 384, 0, ... ) == 0x810fc05f
 00581   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03b
 00582   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03d
 00583   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc03f
 00584   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc041
 00585   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc043
 00586   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc045
 00587   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc047
 00588   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc049
 00589   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04b
 00590   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04d
 00591   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc04f
 00592   472   NtUserGetClassInfo  (1999896576, 1243188, 1243140, 1243216, 0, ... ) == 0xc051
 00593   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc053
 00594   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc055
 00595   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc059
 00596   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05b
 00597   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05d
 00598   472   NtUserGetClassInfo  (1999896576, 1243184, 1243136, 1243212, 0, ... ) == 0xc05f
 00599   472   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1238340, ... ) }, 1238340, ... ) == 0x0
 00601   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00602   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 84, ) == 0x0
 00603   472   NtClose  (68, ... ) == 0x0
 00604   472   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 262144, ) == 0x0
 00605   472   NtClose  (84, ... ) == 0x0
 00606   472   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00607   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00608   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00609   472   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00610   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00611   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 84, {status=0x0, info=0}, ) }, 7, 16, ... 84, {status=0x0, info=0}, ) == 0x0
 00612   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\305\213\221\201\276P\324\251\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00613   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00614   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00615   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00616   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00617   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00618   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00619   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00620   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00621   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "\13\263;\24\374\302`\325I\347"\357\263\214}\31\177\362\266\21\366\340\232\232\364p\302\356X\331\324]\35+\236\205\345u<\274V\17\330\256\346\245e\355\234O5\264\226_\31\301\3Mp\274ZNPaq\335\0\246\270q\344i\277\22\230\342.X\3146", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "\13\263;\24\374\302`\325I\347"\357\263\214}\31\177\362\266\21\366\340\232\232\364p\302\356X\331\324]\35+\236\205\345u<\274V\17\330\256\346\245e\355\234O5\264\226_\31\301\3Mp\274ZNPaq\335\0\246\270q\344i\277\22\230\342.X\3146", 80, ... ) \357\263\214}\31\177\362\266\21\366\340\232\232\364p\302\356X\331\324]\35+\236\205\345u<\274V\17\330\256\346\245e\355\234O5\264\226_\31\301\3Mp\274ZNPaq\335\0\246\270q\344i\277\22\230\342.X\3146", 80, ... ) == 0x0
 00622   472   NtClose  (-2147482032, ... ) == 0x0
 00612   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\370F{\27w\21\274\30/\220\220\333\234\374\30\337\361\335\267\334\354\2\211]\370\212\311\27\327\273\352x\2374\254\16:\321P\315\177\225\31\243\367\\204\364"\340\304\334c}O<\340\250_\26\205?\242\303?\12\342\325\332K\237\302Z{j\32\304e\17\331\334$\262\1d>\20\330\374\344\316\210\333\336\205c\364\206\1\21sRXR< \2151\331d{\343s&)\350\306\261Hi\26\213\366:\311S\247\200KT\313 \223d\2624\11Y\275\302\312\204\31\24`m\234'g\171\363m0N.\315\12\236\236L\263\242\6\4j\310\377/K\353\17<+\23\1,\250^\237\252\270\224\334\232\14\5\360b!\17\36\2417\33kB\346\200\360\10\352=\200\363\2760\234\307]\354\223y\2\350\207\270\257c\223\261\37mX\316"p\211k\247\3008(\234m\267j#(\213\3104\3514\31\332\314\364\206w\26\310x\33\337", ) \340\304\334c}O<\340\250_\26\205?\242\303?\12\342\325\332K\237\302Z{j\32\304e\17\331\334$\262\1d>\20\330\374\344\316\210\333\336\205c\364\206\1\21sRXR< \2151\331d{\343s&)\350\306\261Hi\26\213\366:\311S\247\200KT\313 \223d\2624\11Y\275\302\312\204\31\24`m\234'g\171\363m0N.\315\12\236\236L\263\242\6\4j\310\377/K\353\17<+\23\1,\250^\237\252\270\224\334\232\14\5\360b!\17\36\2417\33kB\346\200\360\10\352=\200\363\2760\234\307]\354\223y\2\350\207\270\257c\223\261\37mX\316 ... {status=0x0, info=256}, "\370F{\27w\21\274\30/\220\220\333\234\374\30\337\361\335\267\334\354\2\211]\370\212\311\27\327\273\352x\2374\254\16:\321P\315\177\225\31\243\367\\204\364"\340\304\334c}O<\340\250_\26\205?\242\303?\12\342\325\332K\237\302Z{j\32\304e\17\331\334$\262\1d>\20\330\374\344\316\210\333\336\205c\364\206\1\21sRXR< \2151\331d{\343s&)\350\306\261Hi\26\213\366:\311S\247\200KT\313 \223d\2624\11Y\275\302\312\204\31\24`m\234'g\171\363m0N.\315\12\236\236L\263\242\6\4j\310\377/K\353\17<+\23\1,\250^\237\252\270\224\334\232\14\5\360b!\17\36\2417\33kB\346\200\360\10\352=\200\363\2760\234\307]\354\223y\2\350\207\270\257c\223\261\37mX\316"p\211k\247\3008(\234m\267j#(\213\3104\3514\31\332\314\364\206w\26\310x\33\337", ) , ) == 0x0
 00623   472   NtAllocateVirtualMemory  (-1, 1359872, 0, 16384, 4096, 4, ... 1359872, 16384, ) == 0x0
 00624   472   NtUserRegisterClassExWOW  (1240424, 1240504, 1240488, 1240520, 0, 384, 0, ... ) == 0x810fc038
 00625   472   NtUserGetAtomName  (49208, 1239188, ... ) == 0x15
 00626   472   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00627   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1236712, ... ) }, 1236712, ... ) == 0x0
 00628   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00629   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 88, ) == 0x0
 00630   472   NtClose  (68, ... ) == 0x0
 00631   472   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x860000), 0x0, 204800, ) == 0x0
 00632   472   NtClose  (88, ... ) == 0x0
 00633   472   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 00634   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1237028, ... ) }, 1237028, ... ) == 0x0
 00635   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 88, {status=0x0, info=1}, ) }, 5, 96, ... 88, {status=0x0, info=1}, ) == 0x0
 00636   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 88, ... 68, ) == 0x0
 00637   472   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00638   472   NtClose  (88, ... ) == 0x0
 00639   472   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00640   472   NtClose  (68, ... ) == 0x0
 00641   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00642   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00643   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00644   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00645   472   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00646   472   NtClose  (68, ... ) == 0x0
 00647   472   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00648   472   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 88, ) }, ... 88, ) == 0x0
 00649   472   NtQueryValueKey  (88,  (88, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   472   NtClose  (88, ... ) == 0x0
 00651   472   NtClose  (68, ... ) == 0x0
 00652   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00653   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00654   472   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00655   472   NtClose  (68, ... ) == 0x0
 00656   472   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 68, ) }, ... 68, ) == 0x0
 00657   472   NtOpenKey  (0x1, {24, 68, 0x40, 0, 0,  (0x1, {24, 68, 0x40, 0, 0, "Control Panel\Desktop"}, ... 88, ) }, ... 88, ) == 0x0
 00658   472   NtQueryValueKey  (88,  (88, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   472   NtClose  (88, ... ) == 0x0
 00660   472   NtClose  (68, ... ) == 0x0
 00661   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1236528, ... ) }, 1236528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00662   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1236528, ... ) }, 1236528, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1236528, ... ) }, 1236528, ... ) == 0x0
 00664   472   NtUserGetProcessWindowStation  (... ) == 0x28
 00665   472   NtUserGetObjectInformation  (40, 2, 0, 0, 1238824, ... ) == 0x0
 00666   472   NtUserGetObjectInformation  (40, 2, 1353080, 16, 1238824, ... ) == 0x1
 00667   472   NtUserGetGUIThreadInfo  (472, 1238780, ... ) == 0x1
 00668   472   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1238600, 64, ... 68, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238600, 64, ... 68, 0x0, 0x0, 0x0, 64, ) == 0x0
 00669   472   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 472, 1520, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1520, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00670   472   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1521, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 472, 1521, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1521, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00671   472   NtUserCallNoParam  (29, ...
 00672   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1236072, ... ) }, 1236072, ... ) == 0x0
 00671   472   NtUserCallNoParam  ... ) == 0x0
 00673   472   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00674   472   NtGdiHfontCreate  (1238152, 356, 0, 0, 1344496, ... ) == 0x130a03e6
 00675   472   NtGdiHfontCreate  (1238152, 356, 0, 0, 1344488, ... ) == 0x190a031e
 00676   472   NtRequestWaitReplyPort  (68, {32, 56, new_msg, 0, 0, 0, 0, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1522, 0} "\0\0\0\0\0\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 464, 472, 1522, 0}  (68, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 464, 472, 1522, 0} "\0\0\0\0\0\0\0\0X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00677   472   NtMapViewOfSection  (88, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x860000), {0, 0}, 331776, ) == 0x0
 00678   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00679   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00680   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00681   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00682   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00683   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00684   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00685   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00686   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00687   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00688   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00689   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00690   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00691   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00692   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00693   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00694   472   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00695   472   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x261003e5
 00696   472   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00697   472   NtUserCallNoParam  (29, ...
 00698   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235516, ... ) }, 1235516, ... ) == 0x0
 00697   472   NtUserCallNoParam  ... ) == 0x0
 00699   472   NtUserCallNoParam  (29, ...
 00700   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1235512, ... ) }, 1235512, ... ) == 0x0
 00699   472   NtUserCallNoParam  ... ) == 0x0
 00701   472   NtUserMessageCall  (0x200be, WM_NCCREATE, 0x0, 0x12e840, 0, 670, 0, ... ) == 0x1
 00702   472   NtUserMessageCall  (0x200be, WM_NCCALCSIZE, 0x0, 0x12e868, 0, 670, 0, ... ) == 0x0
 00703   472   NtUserSetProp  (131262, 43288, -1, ... ) == 0x1
 00626   472   NtUserCreateWindowEx  ... ) == 0x200be
 00704   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\346\220\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00705   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00706   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00707   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00708   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00709   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00710   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00711   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00712   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00713   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "\205\320J~\325\70\222\27z\232 \367\301\22\302I\27\04\363\17\333.\7\30w\233)\377\352\351\325M\220\334\377\27\24\2627ML\242\312\12\27\373\313\37.\2\227y7T\301A\306\313"&\274=1!\273\6\336\277\256\3q\323\234\1\373k\27\205", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "\205\320J~\325\70\222\27z\232 \367\301\22\302I\27\04\363\17\333.\7\30w\233)\377\352\351\325M\220\334\377\27\24\2627ML\242\312\12\27\373\313\37.\2\227y7T\301A\306\313"&\274=1!\273\6\336\277\256\3q\323\234\1\373k\27\205", 80, ... ) &\274=1!\273\6\336\277\256\3q\323\234\1\373k\27\205", 80, ... ) == 0x0
 00714   472   NtClose  (-2147482032, ... ) == 0x0
 00704   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\33\2\370\271\356\221\21\336\364\345\306\206\224\301.\263\247t\274\310\261\266\27\17i\370\\337\250\223X\346X\264;)N\3068_\24\256D\324\374\337\4\204\214\15\300kX\351\252T\2761Q7\345\5\316\13\233\335\321\317\202\334\372H\263.\2151`\275\260\32\350\360\357\303\236RB\344\313<\222\362\337)\334\306\272\34\313\13\200l\205\267T\305\312\224\2266\33$\314\351\30 \312\316\217L=\202\275C\313\265T7Y\264s\212{\20B\327U\30c\242\204\24\5'\10\213\321\34\251\6\312\36\5d\220l'\5\0\3423\242\21\271qr\347\15\330\242\331\213gs\263\224x\316\361\312s\26\260\34 }\353\312\223\233 \317\330\37\302'c\376\35C\2450\360\277\223\11:bfLW=\2547w\11\3\16n\2467+\346Y\375\260\264+\272Hm\236'\3314\3\337\324\213\0+\350\342S\\207\241\316Dk`\26\335\11\346", ) , ) == 0x0
 00715   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00716   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00717   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00718   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00719   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00720   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00721   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00722   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00723   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00724   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "H\347\273*\227\256/up\274\356\216\216L\326|oR\373o\211\304,0\315\226\272=\351\215]Y\302\253\233,\256_HG]\204W\377\13\357\24\361J\34\255\341\350\310r\231\226\4\220\246@\325\331\264\206\315\10v\251\252{z\232\226\304\1gI", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "H\347\273*\227\256/up\274\356\216\216L\326|oR\373o\211\304,0\315\226\272=\351\215]Y\302\253\233,\256_HG]\204W\377\13\357\24\361J\34\255\341\350\310r\231\226\4\220\246@\325\331\264\206\315\10v\251\252{z\232\226\304\1gI", 80, ... ) , 80, ... ) == 0x0
 00725   472   NtClose  (-2147482032, ... ) == 0x0
 00715   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\360(\31\351"\270\243\313\337\370f\25^A\11\254\337o4@V;\323\376a\332s\257\263\21\206se@2\331\353\240\332\332\374\225\2516O\215s\2\15\264\302\261\315\243\337\302\326FZ\327\243B\336\322\27\363\32Z5\266&\213\241\246\\252/\336c`\303\317\302\206P2\370vs\205\3\354\331\10\235US\273A/\331\236\240T\254\300-\205@\253J`'g%\217\242{\232\224\306`=`\6+\242\233X\357\6\236\224\334\213\2fi6\22u\204\315Dd\371I;\312\326\235 \331\300\221{{D\336n\24\11\340\247\213\320\276\5"sw\304\321\327R\260!"\317=\30\\372W\223\363\20\346\276I]\221\271\4\7\3113\352\264\227\23#\302\260\35\21\22\220\225\36s\12\323\323\207\177\233\220", ) \270\243\313\337\370f\25^A\11\254\337o4@V;\323\376a\332s\257\263\21\206se@2\331\353\240\332\332\374\225\2516O\215s\2\15\264\302\261\315\243\337\302\326FZ\327\243B\336\322\27\363\32Z5\266&\213\241\246\\252/\336c`\303\317\302\206P2\370vs\205\3\354\331\10\235US\273A/\331\236\240T\254\300-\205@\253J`'g%\217\242{\232\224\306`=`\6+\242\233X\357\6\236\224\334\213\2fi6\22u\204\315Dd\371I;\312\326\235 \331\300\221{{D\336n\24\11\340\247\213\320\276\5371\346!,\231YCP8\33#\12c\266\12Qc\2\327)\37\321\14?\367\304[\374\250\20\264*\327\1 ... {status=0x0, info=256}, "\360(\31\351"\270\243\313\337\370f\25^A\11\254\337o4@V;\323\376a\332s\257\263\21\206se@2\331\353\240\332\332\374\225\2516O\215s\2\15\264\302\261\315\243\337\302\326FZ\327\243B\336\322\27\363\32Z5\266&\213\241\246\\252/\336c`\303\317\302\206P2\370vs\205\3\354\331\10\235US\273A/\331\236\240T\254\300-\205@\253J`'g%\217\242{\232\224\306`=`\6+\242\233X\357\6\236\224\334\213\2fi6\22u\204\315Dd\371I;\312\326\235 \331\300\221{{D\336n\24\11\340\247\213\320\276\5"sw\304\321\327R\260!"\317=\30\\372W\223\363\20\346\276I]\221\271\4\7\3113\352\264\227\23#\302\260\35\21\22\220\225\36s\12\323\323\207\177\233\220", ) \317=\30\\372W\223\363\20\346\276I]\221\271\4\7\3113\352\264\227\23#\302\260\35\21\22\220\225\36s\12\323\323\207\177\233\220", ) == 0x0
 00726   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315|\250\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00727   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00728   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00729   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00730   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00731   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00732   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00733   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00734   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00735   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "\365\374\317\37@kt\377\225$\264L\245\270\11\300\261\36\336+>\270\207^\2433\211B9J\5\255{\345\322\2001\15\334K\5K]\347\37\327 \356\305(\205\211-\260%\237\15$\347\323\30@Z\320\201G)'\236E\357\274/\270\375\211\211 79", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "\365\374\317\37@kt\377\225$\264L\245\270\11\300\261\36\336+>\270\207^\2433\211B9J\5\255{\345\322\2001\15\334K\5K]\347\37\327 \356\305(\205\211-\260%\237\15$\347\323\30@Z\320\201G)'\236E\357\274/\270\375\211\211 79", 80, ... ) , 80, ... ) == 0x0
 00736   472   NtClose  (-2147482032, ... ) == 0x0
 00726   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\355\315c\327\32u@\377}"c\242\350\273:\3077\324\374\347p9\360\20\7f\255\275\250\331`\353\366\215\340\374u\200]}\314\0\9\302T\232\30\311$F\6'N\32#\301D\234t\203\374]_\230\213\12\370N\253)L}H\220\245$\305\222(f?\230#Z\251a\333\17\357\254\302u3\276\341\33\21\331\346p\347u\255\336\252\377i.\34\216\206S\5\342\231e"\305\31\15ex\240?*\312\244/\31\230\370\233\260j\236\223\303q\260\341\2377\342\200t.\2\332\221\326\337\236P\13w\374\3011\31\324\225O"\20\226K\233"N2\333\\361\236:\247\343\247\217!2, ) c\242\350\273:\3077\324\374\347p9\360\20\7f\255\275\250\331`\353\366\215\340\374u\200]}\314\0\9\302T\232\30\311$F\6'N\32#\301D\234t\203\374]_\230\213\12\370N\253)L}H\220\245$\305\222(f?\230#Z\251a\333\17\357\254\302u3\276\341\33\21\331\346p\347u\255\336\252\377i.\34\216\206S\5\342\231e ... {status=0x0, info=256}, "\355\315c\327\32u@\377}"c\242\350\273:\3077\324\374\347p9\360\20\7f\255\275\250\331`\353\366\215\340\374u\200]}\314\0\9\302T\232\30\311$F\6'N\32#\301D\234t\203\374]_\230\213\12\370N\253)L}H\220\245$\305\222(f?\230#Z\251a\333\17\357\254\302u3\276\341\33\21\331\346p\347u\255\336\252\377i.\34\216\206S\5\342\231e"\305\31\15ex\240?*\312\244/\31\230\370\233\260j\236\223\303q\260\341\2377\342\200t.\2\332\221\326\337\236P\13w\374\3011\31\324\225O"\20\226K\233"N2\333\\361\236:\247\343\247\217!2, ) \20\226K\233 ... {status=0x0, info=256}, "\355\315c\327\32u@\377}"c\242\350\273:\3077\324\374\347p9\360\20\7f\255\275\250\331`\353\366\215\340\374u\200]}\314\0\9\302T\232\30\311$F\6'N\32#\301D\234t\203\374]_\230\213\12\370N\253)L}H\220\245$\305\222(f?\230#Z\251a\333\17\357\254\302u3\276\341\33\21\331\346p\347u\255\336\252\377i.\34\216\206S\5\342\231e"\305\31\15ex\240?*\312\244/\31\230\370\233\260j\236\223\303q\260\341\2377\342\200t.\2\332\221\326\337\236P\13w\374\3011\31\324\225O"\20\226K\233"N2\333\\361\236:\247\343\247\217!2, ) , ) == 0x0
 00737   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00738   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00739   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00740   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00741   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00742   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00743   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00744   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00745   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00746   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "G\32\225\263\267\255e\3629\0_\217\7\271\330_#\323\260\3723\225\204~D\23\336Y-\346#/R\312\231\355\363Aw\205cn\333\340.\26{n\261v\327\244[$\33\256!\243W\337z#8\213\264\2636\263\315\36\233\315\356\325bG\372\217\233", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "G\32\225\263\267\255e\3629\0_\217\7\271\330_#\323\260\3723\225\204~D\23\336Y-\346#/R\312\231\355\363Aw\205cn\333\340.\26{n\261v\327\244[$\33\256!\243W\337z#8\213\264\2636\263\315\36\233\315\356\325bG\372\217\233", 80, ... ) , 80, ... ) == 0x0
 00747   472   NtClose  (-2147482032, ... ) == 0x0
 00737   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\220\20H\257\333\246\312%\375Z\301\242}\25\221]\30\2\341\224\202[=e\311\341\230\371^\230? \306\35\361\3072[\20#\243\3721\347\33c\223\200\351:*5>\302\347\234\13K\322\2521\2544Q\307\207\274N]\13\317\307KT\241\311\31\26\36\35\263N\334{\314\311d\14\355|\325H\326\326\253\350\322M9c\200\3339f\300\274h6\211\371\356\331x\11\21\271\213l\253\217\322\276e\306RI\2366~3\215;\265\230[\235\17\260\207\256\2F}\322\347\215@\220X\177\27\357e\324\313\317\312v\364|T\361\320+\340\222\230\30\35\357n\264]\375\347v\236{.\360H\223\35\320\353T\226\321/y\202\307E+\26\317\222\363\322e+\15$\354\21\236Vp\304\337\30\5\231\200\260)\235\203w/`\275~3?v\315)\351\327\261\230 @'\222\247\240a\230\2678\203.\6\310\323\36Ix:\207\307^\25G", ) , ) == 0x0
 00748   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00749   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00750   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00751   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00752   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00753   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00754   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00755   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00756   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00757   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "B\220\264\210\233\304KW\26xc\246\357D;\241\343B\236\335\345\27\340@\344T\11\35t\247L\273E\364ct\0F\244{.\204\363\261!u#i'\354g\345\261\262\205\210y\355\275_\334f\327\30\273\322\276\372<\324\225\222\331\336\34\334\203qm", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "B\220\264\210\233\304KW\26xc\246\357D;\241\343B\236\335\345\27\340@\344T\11\35t\247L\273E\364ct\0F\244{.\204\363\261!u#i'\354g\345\261\262\205\210y\355\275_\334f\327\30\273\322\276\372<\324\225\222\331\336\34\334\203qm", 80, ... ) , 80, ... ) == 0x0
 00758   472   NtClose  (-2147482032, ... ) == 0x0
 00748   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "jd\240\236\335\343o\326\366\214\246w\244\345\311;\337\214\221\213t\201V\346\232\355\207\313\13\252\351h\211\211\205\236\262\32\13\301\215\3305KT\1x\23\374~\2\4\232\311\13Y\334\17\353v\303\304\361R]\227n\3\33P&5\254[\13Z\224q\266\266\267\373!p6\34\336Wg\242\321\177;\331$\223d\215\275m'\277\234mId>A\367\221A\33\307h3\31wp\37\376\335\303F\364_N\373\216\237@\244\200\31\316`\330\351N"\336W\353F\206\313\14\332g\331\3322\351\370<\222l\253HsP\2\333F\255\332\5\341]~\232\343\276\255[\22\252\350\372\237\333\13?7\307;*\347\26=h\250U\355\257\244\372\214f\302\6\226\303\350\216\247\245\22\223\15\32\266\30\367\322\231\237\25UY|\273\26\333\2327\334\36\33\370\206\5o}\231W(s\350$\226\230\276Z\230FH\22\353j\227\301\367_\326\37", ) \336W\353F\206\313\14\332g\331\3322\351\370<\222l\253HsP\2\333F\255\332\5\341]~\232\343\276\255[\22\252\350\372\237\333\13?7\307;*\347\26=h\250U\355\257\244\372\214f\302\6\226\303\350\216\247\245\22\223\15\32\266\30\367\322\231\237\25UY|\273\26\333\2327\334\36\33\370\206\5o}\231W(s\350$\226\230\276Z\230FH\22\353j\227\301\367_\326\37", ) == 0x0
 00759   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00760   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00761   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00762   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00763   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00764   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00765   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00766   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00767   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00768   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "\367A\14\275\310\360\305\365\3146FQ\15V"@}F\242\360v\371\21p\25\2259B\227\320\74\204M\2A\273\5\3522}_\252,\341.>\337\323s\202Q\201]\336x\226\324\1\325\241\16g=\264\251\301\307\20\261\24\363=\7\267u7\177\217\216", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "\367A\14\275\310\360\305\365\3146FQ\15V"@}F\242\360v\371\21p\25\2259B\227\320\74\204M\2A\273\5\3522}_\252,\341.>\337\323s\202Q\201]\336x\226\324\1\325\241\16g=\264\251\301\307\20\261\24\363=\7\267u7\177\217\216", 80, ... ) @}F\242\360v\371\21p\25\2259B\227\320\74\204M\2A\273\5\3522}_\252,\341.>\337\323s\202Q\201]\336x\226\324\1\325\241\16g=\264\251\301\307\20\261\24\363=\7\267u7\177\217\216", 80, ... ) == 0x0
 00769   472   NtClose  (-2147482032, ... ) == 0x0
 00759   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\23\256\203| m/=\242\251G\265(\317\4$W\327O\340\231\250\220\5$\357C\261\34\263\250\327\341\314N\10\311\257\262\35TinP\327'o1)\200\356/\373a\304<-\245 \375Q\301T\254!\310\202\336y\314S\263Gh_\370\367;\267$y\237Z\2\346\207S|T\241\251\241\300 \326\370\260\2235m\302\306t\336\307\314\206\10\237\3234\215\227g\355\227\350A\317\335\212%e\10h\12\210\355\306\231\353\233=\271WHS\363+au)\7\344\372\2~&v\224\261\254'\366K]\360\215\177v\360\373\343]\212)\224m\217\202\2230\304f\10\202\303*\355X\340\14\20\377\324\216_\334\325\373\354\33\314\15\336CT+", ) +au)\7\344\372\2~&v\224\261\254'\366K]\360\215\177v\360\373\343]\212)\224m\217\202\2230\304f\10\202\303*\355X\340\14\20\377\324\216_\334\325\373\354\33\314\15\336CT+", ) == 0x0
 00770   472   NtDeviceIoControlFile  (84, 0, 0x0, 0x0, 0x390008,  (84, 0, 0x0, 0x0, 0x390008, "\0\336\24\353)\316\30v|\14\361\247\237(\245g\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315|\250\313\13\233\353\315?_\325\313\275\312\265\15f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00771   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00772   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00773   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00774   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00775   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00776   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00777   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00778   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482032, 2, ) }, 0, 0x0, 0, ... -2147482032, 2, ) == 0x0
 00779   472   NtSetValueKey  (-2147482032,  (-2147482032, "Seed", 0, 3, "\2260"H\1\271\327H\340z\307Z?\353\330\355\362\353\202\254l\314\220\35\257\226KyS\13x\1\364#\256\320\23\314:o\233_\314\220hj\274\34\232s\177h\237G\15x\352an\362Tj\363\313V3\265\371v\340*\232\3\16\375F\202E}", 80, ... ) , 0, 3,  (-2147482032, "Seed", 0, 3, "\2260"H\1\271\327H\340z\307Z?\353\330\355\362\353\202\254l\314\220\35\257\226KyS\13x\1\364#\256\320\23\314:o\233_\314\220hj\274\34\232s\177h\237G\15x\352an\362Tj\363\313V3\265\371v\340*\232\3\16\375F\202E}", 80, ... ) H\1\271\327H\340z\307Z?\353\330\355\362\353\202\254l\314\220\35\257\226KyS\13x\1\364#\256\320\23\314:o\233_\314\220hj\274\34\232s\177h\237G\15x\352an\362Tj\363\313V3\265\371v\340*\232\3\16\375F\202E}", 80, ... ) == 0x0
 00780   472   NtClose  (-2147482032, ... ) == 0x0
 00770   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "3\2661V\244\222+\226\261\340S\261=\346\311m\312\177u\27c\301N\247i\0\243\15\302\11\346\304\375\16"\253ub\225E\367\336\367]\23\324\313\337\242m\371&Zf\3421\270)S,\327y\325\230\313m\24\300\16:\217{\301\363L\257\375Kc\30\274'^y\254\6X\1\216\332\344\242\277\334\342O\354-v\301\342z\207\311w#\376\313\257R\206\233K~\303w\376\345\4\257E\263\325|\374\201\344\243\330\254\337J\3\247\310\230\332\204ZK\351\243ft"\302\370\5\11\206{\337P\37Du\235!F6\213\21z\24\11\35\333\246\321:lp\345o\3354G#\344=\21\274I\236\347\10\232\222\252c\210Z4\266\363\225\344`\30\274\260x\7Vau\317\347\34\363\312=\7\310\201'\227\226\4-{\361\213\355$p.Bo\3\355u\341v\24&\244\337\367Oy\237\360\305\32s\325\302\327\210\3Y1\315X", ) \253ub\225E\367\336\367]\23\324\313\337\242m\371&Zf\3421\270)S,\327y\325\230\313m\24\300\16:\217{\301\363L\257\375Kc\30\274'^y\254\6X\1\216\332\344\242\277\334\342O\354-v\301\342z\207\311w#\376\313\257R\206\233K~\303w\376\345\4\257E\263\325|\374\201\344\243\330\254\337J\3\247\310\230\332\204ZK\351\243ft ... {status=0x0, info=256}, "3\2661V\244\222+\226\261\340S\261=\346\311m\312\177u\27c\301N\247i\0\243\15\302\11\346\304\375\16"\253ub\225E\367\336\367]\23\324\313\337\242m\371&Zf\3421\270)S,\327y\325\230\313m\24\300\16:\217{\301\363L\257\375Kc\30\274'^y\254\6X\1\216\332\344\242\277\334\342O\354-v\301\342z\207\311w#\376\313\257R\206\233K~\303w\376\345\4\257E\263\325|\374\201\344\243\330\254\337J\3\247\310\230\332\204ZK\351\243ft"\302\370\5\11\206{\337P\37Du\235!F6\213\21z\24\11\35\333\246\321:lp\345o\3354G#\344=\21\274I\236\347\10\232\222\252c\210Z4\266\363\225\344`\30\274\260x\7Vau\317\347\34\363\312=\7\310\201'\227\226\4-{\361\213\355$p.Bo\3\355u\341v\24&\244\337\367Oy\237\360\305\32s\325\302\327\210\3Y1\315X", ) , ) == 0x0
 00781   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 92, ) }, ... 92, ) == 0x0
 00782   472   NtQueryValueKey  (92,  (92, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00783   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 96, ) }, ... 96, ) == 0x0
 00784   472   NtQueryValueKey  (96,  (96, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785   472   NtClose  (96, ... ) == 0x0
 00786   472   NtClose  (92, ... ) == 0x0
 00787   472   NtAllocateVirtualMemory  (-1, 1376256, 0, 24576, 4096, 4, ... 1376256, 24576, ) == 0x0
 00788   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1238584, ... ) }, 1238584, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1238584, ... ) }, 1238584, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00791   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1238584, ... ) }, 1238584, ... ) == 0x0
 00792   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00793   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 96, ) == 0x0
 00794   472   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00795   472   NtClose  (92, ... ) == 0x0
 00796   472   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00797   472   NtClose  (96, ... ) == 0x0
 00798   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00799   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 96, ) }, ... 96, ) == 0x0
 00801   472   NtQueryValueKey  (96,  (96, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00802   472   NtClose  (96, ... ) == 0x0
 00803   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00804   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 96, ) == 0x0
 00805   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 92, ) == 0x0
 00806   472   NtQuerySystemTime  (... {294067358, 29874552}, ) == 0x0
 00807   472   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00808   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 100, ) == 0x0
 00809   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00811   472   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00812   472   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00813   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00814   472   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 108, ) == 0x0
 00815   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 112, ) }, ... 112, ) == 0x0
 00816   472   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "ActiveComputerName"}, ... 116, ) }, ... 116, ) == 0x0
 00817   472   NtQueryValueKey  (116,  (116, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (116, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (116, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00818   472   NtClose  (116, ... ) == 0x0
 00819   472   NtClose  (112, ... ) == 0x0
 00820   472   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 112, ) == 0x0
 00821   472   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 116, ) == 0x0
 00822   472   NtDuplicateObject  (-1, 112, -1, 0x0, 0, 2, ... 120, ) == 0x0
 00823   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00824   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 124, ) == 0x0
 00825   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00826   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00827   472   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00828   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238952,  (0xc0100080, {24, 0, 0x40, 0, 1238952, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 128, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 128, {status=0x0, info=1}, ) == 0x0
 00829   472   NtSetInformationFile  (128, 1239008, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00830   472   NtSetInformationFile  (128, 1239000, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00831   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00832   472   NtWriteFile  (128, 105, 0, 0,  (128, 105, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00833   472   NtReadFile  (128, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (128, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00834   472   NtFsControlFile  (128, 105, 0x0, 0x0, 0x11c017,  (128, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (128, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335#\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00835   472   NtClose  (124, ... ) == 0x0
 00836   472   NtClose  (128, ... ) == 0x0
 00837   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1238996, ... ) }, 1238996, ... ) == 0x0
 00838   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00839   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00840   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\oI3C04a8.exe"}, 1238816, ... ) }, 1238816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00841   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00842   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00843   472   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1406608, 0,  (0x1f0003, {24, 52, 0x80, 1406608, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 128, ) }, 0, 2147483647, ... 128, ) == STATUS_OBJECT_NAME_EXISTS
 00844   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00845   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00846   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00847   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00848   472   NtQueryValueKey  (124,  (124, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   472   NtClose  (124, ... ) == 0x0
 00850   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00851   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00852   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00854   472   NtQueryValueKey  (124,  (124, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   472   NtClose  (124, ... ) == 0x0
 00856   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00857   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00858   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00860   472   NtQueryValueKey  (124,  (124, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   472   NtClose  (124, ... ) == 0x0
 00862   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00863   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00864   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00865   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00866   472   NtQueryValueKey  (124,  (124, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00867   472   NtClose  (124, ... ) == 0x0
 00868   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00870   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00871   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00873   472   NtQueryValueKey  (124,  (124, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00874   472   NtClose  (124, ... ) == 0x0
 00875   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 00876   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 00877   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00878   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 124, ) }, ... 124, ) == 0x0
 00879   472   NtQueryValueKey  (124,  (124, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   472   NtClose  (124, ... ) == 0x0
 00881   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00882   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00883   472   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00884   472   NtClose  (124, ... ) == 0x0
 00885   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 124, ) }, ... 124, ) == 0x0
 00886   472   NtSetInformationObject  (126, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00887   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 00888   472   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00889   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00890   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 132, ) }, ... 132, ) == 0x0
 00891   472   NtQueryKey  (134, Name, 392, ... {Name= (134, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 00892   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00893   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 136, ) == 0x0
 00894   472   NtQueryInformationToken  (136, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00895   472   NtClose  (136, ... ) == 0x0
 00896   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   472   NtQueryValueKey  (134, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (134, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00898   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1236724, ... ) }, 1236724, ... ) == 0x0
 00899   472   NtClose  (134, ... ) == 0x0
 00900   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 00901   472   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00902   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1237872, ... ) }, 1237872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1237872, ... ) }, 1237872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1237872, ... ) }, 1237872, ... ) == 0x0
 00906   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 132, {status=0x0, info=1}, ) }, 5, 96, ... 132, {status=0x0, info=1}, ) == 0x0
 00907   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 132, ... 136, ) == 0x0
 00908   472   NtQuerySection  (136, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   472   NtClose  (132, ... ) == 0x0
 00910   472   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 00911   472   NtClose  (136, ... ) == 0x0
 00912   472   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00913   472   NtQueryDefaultLocale  (1, 1237704, ... ) == 0x0
 00914   472   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 00915   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00916   472   NtQueryValueKey  (136,  (136, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00917   472   NtClose  (136, ... ) == 0x0
 00918   472   NtUserGetProcessWindowStation  (... ) == 0x28
 00919   472   NtUserGetObjectInformation  (40, 1, 1237376, 12, 1237388, ... ) == 0x1
 00920   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 136, ) }, ... 136, ) == 0x0
 00921   472   NtQueryValueKey  (136,  (136, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (136, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 00922   472   NtClose  (136, ... ) == 0x0
 00923   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00924   472   NtQueryValueKey  (136,  (136, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00925   472   NtQueryValueKey  (136,  (136, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 00926   472   NtClose  (136, ... ) == 0x0
 00927   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00928   472   NtQueryValueKey  (136,  (136, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00929   472   NtQueryValueKey  (136,  (136, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 00930   472   NtClose  (136, ... ) == 0x0
 00931   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00932   472   NtQueryValueKey  (136,  (136, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00933   472   NtQueryValueKey  (136,  (136, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00934   472   NtClose  (136, ... ) == 0x0
 00935   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00936   472   NtQueryValueKey  (136,  (136, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00937   472   NtQueryValueKey  (136,  (136, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 00938   472   NtClose  (136, ... ) == 0x0
 00939   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 136, ) }, ... 136, ) == 0x0
 00940   472   NtQueryValueKey  (136,  (136, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00941   472   NtQueryValueKey  (136,  (136, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 00942   472   NtClose  (136, ... ) == 0x0
 00943   472   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 136, ) }, ... 136, ) == 0x0
 00944   472   NtQueryValueKey  (136,  (136, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (136, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 00945   472   NtClose  (136, ... ) == 0x0
 00946   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 136, ) == 0x0
 00947   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 132, ) == 0x0
 00948   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 00949   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 144, ) == 0x0
 00950   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 148, ) == 0x0
 00951   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 152, ) == 0x0
 00952   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 156, ) }, ... 156, ) == 0x0
 00953   472   NtQueryValueKey  (156,  (156, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   472   NtQueryValueKey  (156,  (156, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955   472   NtOpenKey  (0x1, {24, 156, 0x40, 0, 0,  (0x1, {24, 156, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   472   NtClose  (156, ... ) == 0x0
 00957   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1237296, ... ) }, 1237296, ... ) == 0x0
 00958   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 156, ) }, ... 156, ) == 0x0
 00959   472   NtQueryValueKey  (156,  (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (156, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00960   472   NtClose  (156, ... ) == 0x0
 00961   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 00962   472   NtQueryValueKey  (156,  (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (156, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 00963   472   NtClose  (156, ... ) == 0x0
 00964   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00965   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 156, ) }, ... 156, ) == 0x0
 00966   472   NtQueryValueKey  (156,  (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (156, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 00967   472   NtClose  (156, ... ) == 0x0
 00968   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00969   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 00970   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00971   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00972   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238076,  (0xc0100080, {24, 0, 0x40, 0, 1238076, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 00973   472   NtSetInformationFile  (160, 1238132, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00974   472   NtSetInformationFile  (160, 1238124, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00975   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00976   472   NtWriteFile  (160, 105, 0, 0,  (160, 105, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00977   472   NtReadFile  (160, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00978   472   NtFsControlFile  (160, 105, 0x0, 0x0, 0x11c017,  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\335 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00979   472   NtFsControlFile  (160, 105, 0x0, 0x0, 0x11c017,  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 00980   472   NtFsControlFile  (160, 105, 0x0, 0x0, 0x11c017,  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0H\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00981   472   NtClose  (156, ... ) == 0x0
 00982   472   NtClose  (160, ... ) == 0x0
 00983   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00984   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 160, ) == 0x0
 00985   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00986   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00987   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238076,  (0xc0100080, {24, 0, 0x40, 0, 1238076, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 156, {status=0x0, info=1}, ) == 0x0
 00988   472   NtSetInformationFile  (156, 1238132, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00989   472   NtSetInformationFile  (156, 1238124, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00990   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00991   472   NtWriteFile  (156, 105, 0, 0,  (156, 105, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00992   472   NtReadFile  (156, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (156, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00993   472   NtFsControlFile  (156, 105, 0x0, 0x0, 0x11c017,  (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\352\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00994   472   NtFsControlFile  (156, 105, 0x0, 0x0, 0x11c017,  (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 00995   472   NtFsControlFile  (156, 105, 0x0, 0x0, 0x11c017,  (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (156, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0I\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 00996   472   NtClose  (160, ... ) == 0x0
 00997   472   NtClose  (156, ... ) == 0x0
 00998   472   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 00999   472   NtOpenProcessToken  (-1, 0x20, ... 156, ) == 0x0
 01000   472   NtAdjustPrivilegesToken  (156, 0, 1410056, 0, 0, 0, ... ) == 0x0
 01001   472   NtClose  (156, ... ) == 0x0
 01002   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01003   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 156, ) == 0x0
 01004   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01005   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01006   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238316,  (0xc0100080, {24, 0, 0x40, 0, 1238316, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 160, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 160, {status=0x0, info=1}, ) == 0x0
 01007   472   NtSetInformationFile  (160, 1238372, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01008   472   NtSetInformationFile  (160, 1238364, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01009   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01010   472   NtWriteFile  (160, 105, 0, 0,  (160, 105, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01011   472   NtReadFile  (160, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (160, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01012   472   NtFsControlFile  (160, 105, 0x0, 0x0, 0x11c017,  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01013   472   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01014   472   NtOpenProcessToken  (-1, 0x20, ... 164, ) == 0x0
 01015   472   NtAdjustPrivilegesToken  (164, 0, 1410096, 0, 0, 0, ... ) == 0x0
 01016   472   NtClose  (164, ... ) == 0x0
 01017   472   NtFsControlFile  (160, 105, 0x0, 0x0, 0x11c017,  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (160, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01018   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 164, {status=0x0, info=1}, ) }, 3, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01019   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 168, ) }, ... 168, ) == 0x0
 01020   472   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01021   472   NtClose  (168, ... ) == 0x0
 01022   472   NtQueryVolumeInformationFile  (164, 1238776, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01023   472   NtClose  (164, ... ) == 0x0
 01024   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 164, {status=0x0, info=1}, ) }, 3, 16, ... 164, {status=0x0, info=1}, ) == 0x0
 01025   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01026   472   NtClose  (164, ... ) == 0x0
 01027   472   NtQueryInformationFile  (-1, 1238776, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01028   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238728,  (0x100080, {24, 0, 0x40, 0, 1238728, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01029   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01030   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01031   472   NtClose  (-2147482032, ... ) == 0x0
 01029   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01032   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01033   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01034   472   NtClose  (-2147482032, ... ) == 0x0
 01032   472   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\15\201\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01035   472   NtClose  (164, ... ) == 0x0
 01036   472   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 01037   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 164, ) }, ... 164, ) == 0x0
 01038   472   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 168, ) }, ... 168, ) == 0x0
 01039   472   NtClose  (164, ... ) == 0x0
 01040   472   NtQueryValueKey  (168,  (168, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01041   472   NtQueryValueKey  (168,  (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\22\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0\22\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\22\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0\22\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\23\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01042   472   NtClose  (168, ... ) == 0x0
 01043   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 168, ) }, ... 168, ) == 0x0
 01044   472   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 164, ) }, ... 164, ) == 0x0
 01045   472   NtClose  (168, ... ) == 0x0
 01046   472   NtQueryValueKey  (164,  (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01047   472   NtClose  (164, ... ) == 0x0
 01048   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 164, {status=0x0, info=0}, ) }, 3, 96, ... 164, {status=0x0, info=0}, ) == 0x0
 01049   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 168, ) }, ... 168, ) == 0x0
 01050   472   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01051   472   NtClose  (168, ... ) == 0x0
 01052   472   NtQueryVolumeInformationFile  (164, 1238776, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01053   472   NtClose  (164, ... ) == 0x0
 01054   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 164, {status=0x0, info=0}, ) }, 3, 16, ... 164, {status=0x0, info=0}, ) == 0x0
 01055   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01056   472   NtClose  (164, ... ) == 0x0
 01057   472   NtQueryInformationFile  (-1, 1238776, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01058   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238728,  (0x100080, {24, 0, 0x40, 0, 1238728, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01059   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01060   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01061   472   NtClose  (-2147482032, ... ) == 0x0
 01059   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01062   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01063   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01064   472   NtClose  (-2147482032, ... ) == 0x0
 01062   472   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01065   472   NtClose  (164, ... ) == 0x0
 01066   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 164, ) }, ... 164, ) == 0x0
 01067   472   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 168, ) }, ... 168, ) == 0x0
 01068   472   NtClose  (164, ... ) == 0x0
 01069   472   NtQueryValueKey  (168,  (168, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01070   472   NtQueryValueKey  (168,  (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0/\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0/\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0/\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0/\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\00\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01071   472   NtClose  (168, ... ) == 0x0
 01072   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 168, ) }, ... 168, ) == 0x0
 01073   472   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 164, ) }, ... 164, ) == 0x0
 01074   472   NtClose  (168, ... ) == 0x0
 01075   472   NtQueryValueKey  (164,  (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01076   472   NtClose  (164, ... ) == 0x0
 01077   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 164, {status=0x0, info=0}, ) }, 3, 96, ... 164, {status=0x0, info=0}, ) == 0x0
 01078   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 168, ) }, ... 168, ) == 0x0
 01079   472   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01080   472   NtClose  (168, ... ) == 0x0
 01081   472   NtQueryVolumeInformationFile  (164, 1238776, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01082   472   NtClose  (164, ... ) == 0x0
 01083   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 164, {status=0x0, info=0}, ) }, 3, 16, ... 164, {status=0x0, info=0}, ) == 0x0
 01084   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (164, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01085   472   NtClose  (164, ... ) == 0x0
 01086   472   NtQueryInformationFile  (-1, 1238776, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01087   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238728,  (0x100080, {24, 0, 0x40, 0, 1238728, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01088   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01089   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01090   472   NtClose  (-2147482032, ... ) == 0x0
 01088   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01091   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0008,  (164, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01092   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01093   472   NtClose  (-2147482032, ... ) == 0x0
 01091   472   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01094   472   NtClose  (164, ... ) == 0x0
 01095   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 164, ) }, ... 164, ) == 0x0
 01096   472   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 168, ) }, ... 168, ) == 0x0
 01097   472   NtClose  (164, ... ) == 0x0
 01098   472   NtQueryValueKey  (168,  (168, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01099   472   NtQueryValueKey  (168,  (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0L\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0L\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (168, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0L\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\250\0\0\0L\4\0\0\320\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0M\4\0\0\320\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0\354\346\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0(\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01100   472   NtClose  (168, ... ) == 0x0
 01101   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 168, ) }, ... 168, ) == 0x0
 01102   472   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 164, ) }, ... 164, ) == 0x0
 01103   472   NtClose  (168, ... ) == 0x0
 01104   472   NtQueryValueKey  (164,  (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01105   472   NtClose  (164, ... ) == 0x0
 01106   472   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 01107   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01108   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01109   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01110   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01111   472   NtClose  (-2147482032, ... ) == 0x0
 01109   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01112   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01113   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01114   472   NtClose  (-2147482032, ... ) == 0x0
 01112   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01115   472   NtClose  (164, ... ) == 0x0
 01116   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01117   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01118   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01119   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01120   472   NtClose  (-2147482032, ... ) == 0x0
 01118   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01121   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01122   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01123   472   NtClose  (-2147482032, ... ) == 0x0
 01121   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01124   472   NtClose  (164, ... ) == 0x0
 01125   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 164, 2, ) }, 0, 0x0, 0, ... 164, 2, ) == 0x0
 01126   472   NtSetValueKey  (164,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01127   472   NtClose  (164, ... ) == 0x0
 01128   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01130   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01131   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01132   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01133   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01134   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01137   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01138   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01139   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01140   472   NtClose  (-2147482032, ... ) == 0x0
 01138   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01141   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01142   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01143   472   NtClose  (-2147482032, ... ) == 0x0
 01141   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01144   472   NtClose  (164, ... ) == 0x0
 01145   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01146   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01147   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01148   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01149   472   NtClose  (-2147482032, ... ) == 0x0
 01147   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01150   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01151   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=0}, ) }, 0, 64, ... -2147482032, {status=0x0, info=0}, ) == 0x0
 01152   472   NtClose  (-2147482032, ... ) == 0x0
 01150   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01153   472   NtClose  (164, ... ) == 0x0
 01154   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 164, 2, ) }, 0, 0x0, 0, ... 164, 2, ) == 0x0
 01155   472   NtSetValueKey  (164,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01156   472   NtClose  (164, ... ) == 0x0
 01157   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01159   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01163   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01166   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01167   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01168   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01169   472   NtClose  (-2147482032, ... ) == 0x0
 01167   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01170   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01171   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01172   472   NtClose  (-2147482032, ... ) == 0x0
 01170   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01173   472   NtClose  (164, ... ) == 0x0
 01174   472   NtQueryInformationFile  (-1, 1239980, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01175   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1239932,  (0x100080, {24, 0, 0x40, 0, 1239932, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 164, {status=0x0, info=0}, ) == 0x0
 01176   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01177   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01178   472   NtClose  (-2147482032, ... ) == 0x0
 01176   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01179   472   NtDeviceIoControlFile  (164, 0, 0x0, 0x0, 0x6d0034,  (164, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01180   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482032, {status=0x0, info=1}, ) }, 0, 64, ... -2147482032, {status=0x0, info=1}, ) == 0x0
 01181   472   NtClose  (-2147482032, ... ) == 0x0
 01179   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01182   472   NtClose  (164, ... ) == 0x0
 01183   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 164, 2, ) }, 0, 0x0, 0, ... 164, 2, ) == 0x0
 01184   472   NtSetValueKey  (164,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (164, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01185   472   NtClose  (164, ... ) == 0x0
 01186   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01188   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01192   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01195   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01196   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 164, {status=0x0, info=1}, ) }, 3, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01197   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 168, ) }, ... 168, ) == 0x0
 01198   472   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\WinDfs\F:0000000000009231", 66, ) , 66, ) == 0x0
 01199   472   NtClose  (168, ... ) == 0x0
 01200   472   NtQueryVolumeInformationFile  (164, 1240024, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01201   472   NtClose  (164, ... ) == 0x0
 01202   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01203   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 164, {status=0x0, info=1}, ) }, 3, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01204   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 168, ) }, ... 168, ) == 0x0
 01205   472   NtQuerySymbolicLinkObject  (168, ...  (168, ... "\Device\WinDfs\U:0000000000009231", 66, ) , 66, ) == 0x0
 01206   472   NtClose  (168, ... ) == 0x0
 01207   472   NtQueryVolumeInformationFile  (164, 1240024, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01208   472   NtClose  (164, ... ) == 0x0
 01209   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01210   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 164, ) }, ... 164, ) == 0x0
 01211   472   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 168, ) }, ... 168, ) == 0x0
 01212   472   NtClose  (164, ... ) == 0x0
 01213   472   NtQueryValueKey  (168,  (168, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01214   472   NtClose  (168, ... ) == 0x0
 01215   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01216   472   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 168, ) }, ... 168, ) == 0x0
 01218   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01219   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01220   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01221   472   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01222   472   NtClose  (164, ... ) == 0x0
 01223   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   472   NtEnumerateKey  (170, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (170, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01225   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01226   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 164, ) }, ... 164, ) == 0x0
 01228   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01229   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01230   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01231   472   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01232   472   NtClose  (172, ... ) == 0x0
 01233   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   472   NtQueryValueKey  (166,  (166, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (166, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01235   472   NtClose  (166, ... ) == 0x0
 01236   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01237   472   NtEnumerateKey  (170, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01238   472   NtClose  (170, ... ) == 0x0
 01239   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 168, {status=0x0, info=1}, ) }, 3, 16417, ... 168, {status=0x0, info=1}, ) == 0x0
 01240   472   NtQueryDirectoryFile  (168, 0, 0, 0, 1238244, 616, BothDirectory, 1,  (168, 0, 0, 0, 1238244, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01241   472   NtClose  (168, ... ) == 0x0
 01242   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01243   472   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 168, ) }, ... 168, ) == 0x0
 01245   472   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01246   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01247   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01248   472   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01249   472   NtClose  (164, ... ) == 0x0
 01250   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   472   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01252   472   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01253   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01254   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01255   472   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01256   472   NtClose  (164, ... ) == 0x0
 01257   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   472   NtOpenKey  (0x2000000, {24, 170, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01259   472   NtClose  (170, ... ) == 0x0
 01260   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01261   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01262   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01264   472   NtQueryValueKey  (168,  (168, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   472   NtClose  (168, ... ) == 0x0
 01266   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01267   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01268   472   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0, ""}, ... 172, ) == 0x0
 01269   472   NtQueryValueKey  (172,  (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01270   472   NtQueryValueKey  (172,  (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (172, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01271   472   NtClose  (172, ... ) == 0x0
 01272   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01273   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01274   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01275   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01276   472   NtQueryValueKey  (172,  (172, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01277   472   NtClose  (172, ... ) == 0x0
 01278   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01279   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01280   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01282   472   NtQueryValueKey  (172,  (172, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01283   472   NtClose  (172, ... ) == 0x0
 01284   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01285   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01286   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01288   472   NtQueryValueKey  (172,  (172, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   472   NtClose  (172, ... ) == 0x0
 01290   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01291   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01292   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01294   472   NtQueryValueKey  (172,  (172, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   472   NtClose  (172, ... ) == 0x0
 01296   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01297   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01298   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01299   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01300   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01302   472   NtQueryValueKey  (172,  (172, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01303   472   NtClose  (172, ... ) == 0x0
 01304   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01305   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01306   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01308   472   NtQueryValueKey  (172,  (172, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01309   472   NtClose  (172, ... ) == 0x0
 01310   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01311   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01312   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 172, ) }, ... 172, ) == 0x0
 01314   472   NtQueryValueKey  (172,  (172, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01315   472   NtClose  (172, ... ) == 0x0
 01316   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01317   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01318   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01319   472   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "Advanced"}, ... 172, ) }, ... 172, ) == 0x0
 01320   472   NtQueryValueKey  (172,  (172, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01321   472   NtQueryValueKey  (172,  (172, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01322   472   NtQueryValueKey  (172,  (172, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01323   472   NtQueryValueKey  (172,  (172, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01324   472   NtQueryValueKey  (172,  (172, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01325   472   NtQueryValueKey  (172,  (172, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01326   472   NtQueryValueKey  (172,  (172, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01327   472   NtReleaseSemaphore  (128, 1, ... 0, ) == 0x0
 01328   472   NtWaitForSingleObject  (128, 0, {0, 0}, ... ) == 0x0
 01329   472   NtQueryValueKey  (172,  (172, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01330   472   NtQueryValueKey  (172,  (172, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01331   472   NtQueryValueKey  (172,  (172, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01332   472   NtQueryValueKey  (172,  (172, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01333   472   NtQueryValueKey  (172,  (172, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   472   NtClose  (172, ... ) == 0x0
 01335   472   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1406608, 0,  (0x1f0003, {24, 52, 0x80, 1406608, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01336   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01337   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01338   472   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01339   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01340   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01341   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01342   472   NtClose  (176, ... ) == 0x0
 01343   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01344   472   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01346   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01347   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01348   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01349   472   NtClose  (176, ... ) == 0x0
 01350   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   472   NtQueryValueKey  (166,  (166, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01353   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01354   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01355   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01356   472   NtClose  (176, ... ) == 0x0
 01357   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01358   472   NtQueryValueKey  (166,  (166, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01359   472   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01360   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01361   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01362   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01363   472   NtClose  (176, ... ) == 0x0
 01364   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   472   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01366   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01367   472   NtOpenKey  (0x2000000, {24, 126, 0x40, 0, 0,  (0x2000000, {24, 126, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 176, ) }, ... 176, ) == 0x0
 01369   472   NtQueryKey  (178, Name, 384, ... {Name= (178, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01370   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01371   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01372   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01373   472   NtClose  (180, ... ) == 0x0
 01374   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01375   472   NtOpenKey  (0x1, {24, 178, 0x40, 0, 0,  (0x1, {24, 178, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01376   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01377   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01378   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01379   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01380   472   NtClose  (180, ... ) == 0x0
 01381   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   472   NtQueryValueKey  (166,  (166, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01384   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01385   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01386   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01387   472   NtClose  (180, ... ) == 0x0
 01388   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01389   472   NtQueryValueKey  (166,  (166, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (166, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01390   472   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01391   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01392   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01393   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01394   472   NtClose  (180, ... ) == 0x0
 01395   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01396   472   NtQueryValueKey  (166,  (166, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01397   472   NtClose  (166, ... ) == 0x0
 01398   472   NtClose  (178, ... ) == 0x0
 01399   472   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 01400   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 176, {status=0x0, info=1}, ) }, 3, 16417, ... 176, {status=0x0, info=1}, ) == 0x0
 01401   472   NtQueryDirectoryFile  (176, 0, 0, 0, 1238148, 616, BothDirectory, 1,  (176, 0, 0, 0, 1238148, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01402   472   NtClose  (176, ... ) == 0x0
 01403   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\"}, 3, 16417, ... 176, {status=0x0, info=1}, ) }, 3, 16417, ... 176, {status=0x0, info=1}, ) == 0x0
 01404   472   NtQueryDirectoryFile  (176, 0, 0, 0, 1238068, 616, BothDirectory, 1,  (176, 0, 0, 0, 1238068, 616, BothDirectory, 1, "oI3C04a8.exe", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 01405   472   NtClose  (176, ... ) == 0x0
 01406   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01407   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01408   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 176, ) }, ... 176, ) == 0x0
 01409   472   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 164, ) }, ... 164, ) == 0x0
 01410   472   NtClose  (176, ... ) == 0x0
 01411   472   NtQueryValueKey  (164,  (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01412   472   NtClose  (164, ... ) == 0x0
 01413   472   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 164, ) }, ... 164, ) == 0x0
 01414   472   NtEnumerateValueKey  (164, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (164, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (164, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01415   472   NtQueryKey  (126, Name, 384, ... {Name= (126, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01416   472   NtOpenKey  (0x1, {24, 126, 0x40, 0, 0,  (0x1, {24, 126, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 176, ) }, ... 176, ) == 0x0
 01418   472   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01419   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01420   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01421   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01422   472   NtClose  (180, ... ) == 0x0
 01423   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01424   472   NtQueryValueKey  (178, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (178, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01425   472   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01426   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01427   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01428   472   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01429   472   NtClose  (180, ... ) == 0x0
 01430   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   472   NtQueryValueKey  (178,  (178, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   472   NtClose  (178, ... ) == 0x0
 01433   472   NtEnumerateValueKey  (164, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01434   472   NtClose  (164, ... ) == 0x0
 01435   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01436   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01437   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01438   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 164, ) }, ... 164, ) == 0x0
 01439   472   NtOpenKey  (0x2000000, {24, 164, 0x40, 0, 0,  (0x2000000, {24, 164, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 176, ) }, ... 176, ) == 0x0
 01440   472   NtClose  (164, ... ) == 0x0
 01441   472   NtQueryValueKey  (176,  (176, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01442   472   NtClose  (176, ... ) == 0x0
 01443   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01444   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01445   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\oI3C04a8.exe"}, 1239392, ... ) }, 1239392, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01446   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01447   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01448   472   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\URL\Prefixes"}, ... 176, ) }, ... 176, ) == 0x0
 01449   472   NtEnumerateValueKey  (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name="ftp", Data="f\0t\0p\0:\0/\0/\0\0\0"}, 42, ) , Data= (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name="ftp", Data="f\0t\0p\0:\0/\0/\0\0\0"}, 42, ) }, 42, ) == 0x0
 01450   472   NtEnumerateValueKey  (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name="ftp", Data="f\0t\0p\0:\0/\0/\0\0\0"}, 42, ) , Data= (176, 0, Full, 220, ... TitleIdx=0, Type=1, Name="ftp", Data="f\0t\0p\0:\0/\0/\0\0\0"}, 42, ) }, 42, ) == 0x0
 01451   472   NtEnumerateValueKey  (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name="gopher", Data="g\0o\0p\0h\0e\0r\0:\0/\0/\0\0\0"}, 52, ) , Data= (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name="gopher", Data="g\0o\0p\0h\0e\0r\0:\0/\0/\0\0\0"}, 52, ) }, 52, ) == 0x0
 01452   472   NtEnumerateValueKey  (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name="gopher", Data="g\0o\0p\0h\0e\0r\0:\0/\0/\0\0\0"}, 52, ) , Data= (176, 1, Full, 220, ... TitleIdx=0, Type=1, Name="gopher", Data="g\0o\0p\0h\0e\0r\0:\0/\0/\0\0\0"}, 52, ) }, 52, ) == 0x0
 01453   472   NtEnumerateValueKey  (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name="home", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) , Data= (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name="home", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) }, 44, ) == 0x0
 01454   472   NtEnumerateValueKey  (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name="home", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) , Data= (176, 2, Full, 220, ... TitleIdx=0, Type=1, Name="home", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) }, 44, ) == 0x0
 01455   472   NtEnumerateValueKey  (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name="mosaic", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 48, ) , Data= (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name="mosaic", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 48, ) }, 48, ) == 0x0
 01456   472   NtEnumerateValueKey  (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name="mosaic", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 48, ) , Data= (176, 3, Full, 220, ... TitleIdx=0, Type=1, Name="mosaic", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 48, ) }, 48, ) == 0x0
 01457   472   NtEnumerateValueKey  (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name="www", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) , Data= (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name="www", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) }, 44, ) == 0x0
 01458   472   NtEnumerateValueKey  (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name="www", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) , Data= (176, 4, Full, 220, ... TitleIdx=0, Type=1, Name="www", Data="h\0t\0t\0p\0:\0/\0/\0\0\0"}, 44, ) }, 44, ) == 0x0
 01459   472   NtEnumerateValueKey  (176, 5, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01460   472   NtClose  (176, ... ) == 0x0
 01461   472   NtUserDestroyWindow  (131262, ...
 01462   472   NtUserRemoveProp  (131262, 43288, ... ) == 0xffffffff
 01463   472   NtUserRemoveProp  (131262, 43282, ... ) == 0x0
 01464   472   NtUserRemoveProp  (131262, 43287, ... ) == 0x0
 01461   472   NtUserDestroyWindow  ... ) == 0x1
 01465   472   NtUserUnregisterClass  (1240668, 1998258176, 1240656, ... ) == 0x1
 01466   472   NtOpenFile  (0x10080, {24, 12, 0x40, 0, 0,  (0x10080, {24, 12, 0x40, 0, 0, "ftpupd.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01467   472   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "uterm19.2"}, 1, ... 176, ) }, 1, ... 176, ) == 0x0
 01468   472   NtOpenProcessToken  (-1, 0x20, ... 164, ) == 0x0
 01469   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01470   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 180, ) == 0x0
 01471   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01472   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01473   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1243244,  (0xc0100080, {24, 0, 0x40, 0, 1243244, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01474   472   NtSetInformationFile  (184, 1243300, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01475   472   NtSetInformationFile  (184, 1243292, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01476   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01477   472   NtWriteFile  (184, 105, 0, 0,  (184, 105, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01478   472   NtReadFile  (184, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (184, 105, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\337 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01479   472   NtFsControlFile  (184, 105, 0x0, 0x0, 0x11c017,  (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\337 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\377\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\337 \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01480   472   NtFsControlFile  (184, 105, 0x0, 0x0, 0x11c017,  (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305 \0"\0Hv\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0Hv\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0`\0\0\0\2\0\0\0H\0\0\0\0\0\37\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305 \0"\0Hv\25\0\21\0\0\0\0\0\0\0\20\0\0\0S\0e\0D\0e\0b\0u\0g\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 96, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01481   472   NtFsControlFile  (184, 105, 0x0, 0x0, 0x11c017,  (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (184, 105, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0J\6GLkE\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01482   472   NtClose  (180, ... ) == 0x0
 01483   472   NtClose  (184, ... ) == 0x0
 01484   472   NtAdjustPrivilegesToken  (164, 0, 1245080, 16, 0, 0, ... ) == 0x0
 01485   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01486   472   NtQueryValueKey  (184,  (184, "Windows Security Manager", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01487   472   NtClose  (184, ... ) == 0x0
 01488   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01489   472   NtQueryValueKey  (184,  (184, "Disk Defragmenter", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01490   472   NtClose  (184, ... ) == 0x0
 01491   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01492   472   NtQueryValueKey  (184,  (184, "System Restore Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   472   NtClose  (184, ... ) == 0x0
 01494   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01495   472   NtQueryValueKey  (184,  (184, "Bot Loader", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01496   472   NtClose  (184, ... ) == 0x0
 01497   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01498   472   NtQueryValueKey  (184,  (184, "SysTray", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01499   472   NtClose  (184, ... ) == 0x0
 01500   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01501   472   NtQueryValueKey  (184,  (184, "WinUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   472   NtClose  (184, ... ) == 0x0
 01503   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01504   472   NtQueryValueKey  (184,  (184, "Windows Update Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   472   NtClose  (184, ... ) == 0x0
 01506   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01507   472   NtQueryValueKey  (184,  (184, "avserve.exe", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01508   472   NtClose  (184, ... ) == 0x0
 01509   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01510   472   NtQueryValueKey  (184,  (184, "avserve2.exeUpdate Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   472   NtClose  (184, ... ) == 0x0
 01512   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01513   472   NtQueryValueKey  (184,  (184, "MS Config v13", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01514   472   NtClose  (184, ... ) == 0x0
 01515   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01516   472   NtQueryValueKey  (184,  (184, "Windows Update", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01517   472   NtClose  (184, ... ) == 0x0
 01518   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01519   472   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01520   472   NtSetInformationFile  (-2147482808, -136248284, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01521   472   NtSetInformationFile  (-2147482808, -136248756, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01519   472   NtCreateKey  ... 184, 1, ) == 0x0
 01522   472   NtSetValueKey  (184,  (184, "ID", 0, 1, "p\0j\0g\0b\0m\0z\0g\0u\0s\0l\0v\0p\0t\0\0\0", 28, ... ) , 0, 1,  (184, "ID", 0, 1, "p\0j\0g\0b\0m\0z\0g\0u\0s\0l\0v\0p\0t\0\0\0", 28, ... ) , 28, ... ) == 0x0
 01523   472   NtClose  (184, ... ) == 0x0
 01524   472   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 184, ) }, ... 184, ) == 0x0
 01525   472   NtQueryValueKey  (184,  (184, "Cryptographic Service", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   472   NtClose  (184, ... ) == 0x0
 01527   472   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "Software\Microsoft\Wireless"}, 0, 0x0, 0, ... 184, 2, ) }, 0, 0x0, 0, ... 184, 2, ) == 0x0
 01528   472   NtSetValueKey  (184,  (184, "Client", 0, 1, "1\0\0\0", 4, ... ) , 0, 1,  (184, "Client", 0, 1, "1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01529   472   NtClose  (184, ... ) == 0x0
 01530   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1243516,  (0x80100080, {24, 0, 0x40, 0, 1243516, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 184, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 184, {status=0x0, info=1}, ) == 0x0
 01531   472   NtQueryInformationFile  (184, 1244452, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01532   472   NtQueryInformationFile  (184, 1244424, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01533   472   NtQueryInformationFile  (184, 1244376, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01534   472   NtQueryInformationFile  (184, 1359048, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01535   472   NtQueryInformationFile  (184, 1242920, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01536   472   NtQueryInformationFile  (184, 1242764, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01537   472   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1242772,  (0x40110080, {24, 0, 0x40, 0, 1242772, "\??\C:\WINDOWS\System32\eteob.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 01538   472   NtClose  (-2147482032, ... ) == 0x0
 01537   472   NtCreateFile  ... 180, {status=0x0, info=2}, ) == 0x0
 01539   472   NtQueryVolumeInformationFile  (180, 1242144, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01540   472   NtQueryInformationFile  (180, 1242104, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01541   472   NtQueryVolumeInformationFile  (184, 1242144, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01542   472   NtSetInformationFile  (180, 1241932, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01543   472   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 184, ... 188, ) == 0x0
 01544   472   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8c0000), {0, 0}, 20480, ) == 0x0
 01545   472   NtClose  (188, ... ) == 0x0
 01546   472   NtWriteFile  (180, 0, 0, 0,  (180, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0E4\335@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0@\0\0\00\0\0\0P\0\0\217\202\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 17551, 0x0, 0, ... {status=0x0, info=17551}, ) , 17551, 0x0, 0, ... {status=0x0, info=17551}, ) == 0x0
 01547   472   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 01548   472   NtSetInformationFile  (180, 1244376, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01549   472   NtClose  (184, ... ) == 0x0
 01550   472   NtClose  (180, ... ) == 0x0
 01551   472   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 180, 2, ) }, 0, 0x0, 0, ... 180, 2, ) == 0x0
 01552   472   NtSetValueKey  (180,  (180, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0e\0t\0e\0o\0b\0.\0e\0x\0e\0\0\0", 60, ... , 0, 1,  (180, "Cryptographic Service", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0e\0t\0e\0o\0b\0.\0e\0x\0e\0\0\0", 60, ... , 60, ...
 01553   472   NtSetInformationFile  (-2147482808, -136247500, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01554   472   NtSetInformationFile  (-2147482808, -136247592, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01552   472   NtSetValueKey  ... ) == 0x0
 01555   472   NtClose  (180, ... ) == 0x0
 01556   472   NtClose  (176, ... ) == 0x0
 01557   472   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 01558   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 1241008, ... ) }, 1241008, ... ) == 0x0
 01559   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 1241700, ... ) }, 1241700, ... ) == 0x0
 01560   472   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 5, 96, ... 176, {status=0x0, info=1}, ) }, 5, 96, ... 176, {status=0x0, info=1}, ) == 0x0
 01561   472   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 176, ... 180, ) == 0x0
 01562   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01563   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 184, ) }, ... 184, ) == 0x0
 01564   472   NtQueryValueKey  (184,  (184, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   472   NtClose  (184, ... ) == 0x0
 01566   472   NtQueryVolumeInformationFile  (176, 1241008, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01567   472   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 184, ) }, ... 184, ) == 0x0
 01568   472   NtWaitForSingleObject  (184, 0, {-1000000, -1}, ... ) == 0x0
 01569   472   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 188, ) }, ... 188, ) == 0x0
 01570   472   NtMapViewOfSection  (188, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x8c0000), {0, 0}, 57344, ) == 0x0
 01571   472   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01572   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1238992, ... ) }, 1238992, ... ) == 0x0
 01573   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 192, {status=0x0, info=1}, ) }, 5, 96, ... 192, {status=0x0, info=1}, ) == 0x0
 01574   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 192, ... 196, ) == 0x0
 01575   472   NtClose  (192, ... ) == 0x0
 01576   472   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 106496, ) == 0x0
 01577   472   NtClose  (196, ... ) == 0x0
 01578   472   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01579   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239308, ... ) }, 1239308, ... ) == 0x0
 01580   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 196, {status=0x0, info=1}, ) }, 5, 96, ... 196, {status=0x0, info=1}, ) == 0x0
 01581   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 196, ... 192, ) == 0x0
 01582   472   NtQuerySection  (192, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01583   472   NtClose  (196, ... ) == 0x0
 01584   472   NtMapViewOfSection  (192, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 01585   472   NtClose  (192, ... ) == 0x0
 01586   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01587   472   NtQueryInformationFile  (192, 1239596, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01588   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 192, ... 196, ) == 0x0
 01589   472   NtMapViewOfSection  (196, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8f0000), 0x0, 1028096, ) == 0x0
 01590   472   NtQueryInformationFile  (192, 1239692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01591   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01593   472   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01594   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01595   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1237256, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237256, 616, BothDirectory, 1, "eteob.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01596   472   NtClose  (200, ... ) == 0x0
 01597   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01598   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01599   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 1236644, ... ) }, 1236644, ... ) == 0x0
 01600   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01601   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01602   472   NtClose  (200, ... ) == 0x0
 01603   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01604   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01605   472   NtClose  (200, ... ) == 0x0
 01606   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01607   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1,  (200, 0, 0, 0, 1236004, 616, BothDirectory, 1, "eteob.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01608   472   NtClose  (200, ... ) == 0x0
 01609   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01610   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01611   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01612   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01613   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01614   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01615   472   NtClose  (200, ... ) == 0x0
 01616   472   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   472   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\eteob.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01619   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01620   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 1238924, ... ) }, 1238924, ... ) == 0x0
 01621   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01622   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01623   472   NtClose  (200, ... ) == 0x0
 01624   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01625   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01626   472   NtClose  (200, ... ) == 0x0
 01627   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01628   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1,  (200, 0, 0, 0, 1238284, 616, BothDirectory, 1, "eteob.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01629   472   NtClose  (200, ... ) == 0x0
 01630   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01631   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01632   472   NtWaitForSingleObject  (184, 0, {-1000000, -1}, ... ) == 0x0
 01633   472   NtQueryVolumeInformationFile  (176, 1239568, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01634   472   NtQueryInformationFile  (176, 1239548, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01635   472   NtQueryInformationFile  (176, 1239588, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01636   472   NtReleaseMutant  (184, ... 0x0, ) == 0x0
 01637   472   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 01638   472   NtClose  (196, ... ) == 0x0
 01639   472   NtClose  (192, ... ) == 0x0
 01640   472   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01641   472   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eteob.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01642   472   NtOpenThreadToken  (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN
 01643   472   NtOpenProcessToken  (-1, 0xa, ... 192, ) == 0x0
 01644   472   NtQueryInformationToken  (192, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 01645   472   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01647   472   NtQueryValueKey  (196,  (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01648   472   NtQueryValueKey  (196,  (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (196, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01649   472   NtClose  (196, ... ) == 0x0
 01650   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01651   472   NtQueryValueKey  (196,  (196, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01652   472   NtQueryValueKey  (196,  (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (196, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01653   472   NtClose  (196, ... ) == 0x0
 01654   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01655   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01656   472   NtQueryValueKey  (196,  (196, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01657   472   NtClose  (196, ... ) == 0x0
 01658   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01659   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01660   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01661   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01662   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01663   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01664   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01665   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01666   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01667   472   NtQueryDefaultLocale  (1, 1240380, ... ) == 0x0
 01668   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 196, ) }, ... 196, ) == 0x0
 01669   472   NtEnumerateKey  (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name= (196, 0, Basic, 280, ... {LastWrite={0x6f7a111e,0x1c73999}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0
 01670   472   NtOpenKey  (0x20019, {24, 196, 0x40, 0, 0,  (0x20019, {24, 196, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 200, ) }, ... 200, ) == 0x0
 01671   472   NtQueryValueKey  (200,  (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (200, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0
 01672   472   NtQueryValueKey  (200,  (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (200, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01673   472   NtClose  (200, ... ) == 0x0
 01674   472   NtEnumerateKey  (196, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES
 01675   472   NtClose  (196, ... ) == 0x0
 01676   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01677   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01678   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01679   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01680   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01682   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01683   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01684   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01685   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01686   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01687   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01688   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01691   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01692   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01693   472   NtClose  (196, ... ) == 0x0
 01694   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01695   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01696   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01697   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01698   472   NtClose  (196, ... ) == 0x0
 01699   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01700   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01701   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01702   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01703   472   NtClose  (196, ... ) == 0x0
 01704   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01705   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01706   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01707   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01708   472   NtClose  (196, ... ) == 0x0
 01709   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01710   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01711   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01712   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01713   472   NtClose  (196, ... ) == 0x0
 01714   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01715   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01716   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01717   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01718   472   NtClose  (196, ... ) == 0x0
 01719   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01720   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01721   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01722   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01723   472   NtClose  (196, ... ) == 0x0
 01724   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01725   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01726   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01727   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01728   472   NtClose  (196, ... ) == 0x0
 01729   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01730   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01731   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01732   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01733   472   NtClose  (196, ... ) == 0x0
 01734   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01736   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01737   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01738   472   NtClose  (196, ... ) == 0x0
 01739   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01740   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01741   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01742   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01743   472   NtClose  (196, ... ) == 0x0
 01744   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01745   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01746   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01747   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01748   472   NtClose  (196, ... ) == 0x0
 01749   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01750   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01751   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01752   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01753   472   NtClose  (196, ... ) == 0x0
 01754   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01755   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01756   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01757   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01758   472   NtClose  (196, ... ) == 0x0
 01759   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01761   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01762   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01763   472   NtClose  (196, ... ) == 0x0
 01764   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01766   472   NtQueryValueKey  (196,  (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (196, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0
 01767   472   NtClose  (196, ... ) == 0x0
 01768   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01769   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 196, ) == 0x0
 01770   472   NtQueryInformationToken  (196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01771   472   NtClose  (196, ... ) == 0x0
 01772   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01773   472   NtOpenThreadToken  (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN
 01774   472   NtOpenProcessToken  (-1, 0xa, ... 196, ) == 0x0
 01775   472   NtDuplicateToken  (196, 0xc, {24, 0, 0x0, 0, 1240900, 0x0}, 0, 2, ... 200, ) == 0x0
 01776   472   NtClose  (196, ... ) == 0x0
 01777   472   NtAccessCheck  (1407952, 200, 0x1, 1241028, 1240972, 56, 1241056, ... (0x1), ) == 0x0
 01778   472   NtClose  (200, ... ) == 0x0
 01779   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 200, ) }, ... 200, ) == 0x0
 01780   472   NtQueryValueKey  (200,  (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (200, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01781   472   NtClose  (200, ... ) == 0x0
 01782   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 200, ) }, ... 200, ) == 0x0
 01783   472   NtQuerySymbolicLinkObject  (200, ...  (200, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01784   472   NtClose  (200, ... ) == 0x0
 01785   472   NtQueryInformationFile  (176, 1239360, 528, Name, ... {status=0x0, info=58}, ) == 0x0
 01786   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01787   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01788   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01789   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01790   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01791   472   NtClose  (200, ... ) == 0x0
 01792   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01793   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01794   472   NtClose  (200, ... ) == 0x0
 01795   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 200, {status=0x0, info=1}, ) }, 3, 16417, ... 200, {status=0x0, info=1}, ) == 0x0
 01796   472   NtQueryDirectoryFile  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1,  (200, 0, 0, 0, 1237400, 616, BothDirectory, 1, "eteob.exe", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01797   472   NtClose  (200, ... ) == 0x0
 01798   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01799   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01800   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01801   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01802   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01803   472   NtClose  (200, ... ) == 0x0
 01804   472   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 200, ) }, ... 200, ) == 0x0
 01805   472   NtOpenKey  (0x20019, {24, 200, 0x40, 0, 0,  (0x20019, {24, 200, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 196, ) }, ... 196, ) == 0x0
 01806   472   NtClose  (200, ... ) == 0x0
 01807   472   NtQueryValueKey  (196,  (196, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01808   472   NtQueryValueKey  (196,  (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=1, Data= (196, "Cache", Partial, 162, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 162, ) }, 162, ) == 0x0
 01809   472   NtClose  (196, ... ) == 0x0
 01810   472   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 8192, 4, ... 9240576, 4096, ) == 0x0
 01811   472   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 01812   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 196, ) }, ... 196, ) == 0x0
 01813   472   NtQueryValueKey  (196,  (196, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01814   472   NtClose  (196, ... ) == 0x0
 01815   472   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01816   472   NtQueryInformationToken  (192, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0
 01817   472   NtQueryInformationToken  (192, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0
 01818   472   NtClose  (192, ... ) == 0x0
 01819   472   NtCreateProcessEx  (1243636, 2035711, 0, -1, 0, 180, 0, 0, 0, ... ) == 0x0
 01820   472   NtQueryInformationProcess  (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=464,}, 0x0, ) == 0x0
 01821   472   NtReadVirtualMemory  (192, 0x7ffdf008, 4, ...  (192, 0x7ffdf008, 4, ... "\0\0B1", 0x0, ) , 0x0, ) == 0x0
 01822   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\eteob.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01823   472   NtReadVirtualMemory  (192, 0x31420000, 4096, ...  (192, 0x31420000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0I\3538\210\15\212V\333\15\212V\333\15\212V\333\216\226X\333\17\212V\333\345\225R\333\17\212V\333\15\212V\333\12\212V\333\15\212W\333[\212V\333o\225E\333\4\212V\333\345\225]\333\7\212V\333Rich\15\212V\333\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0E4\335@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0@\0\0\00\0\0\0P\0\0\217\202\0\0\0`\0\0\0\200\0\0\0\0B1\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\300\0\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\200\0\0h\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0P\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 01824   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01825   472   NtQueryInformationProcess  (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=464,}, 0x0, ) == 0x0
 01826   472   NtAllocateVirtualMemory  (-1, 0, 0, 1648, 4096, 4, ... 9371648, 4096, ) == 0x0
 01827   472   NtAllocateVirtualMemory  (192, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 01828   472   NtWriteVirtualMemory  (192, 0x10000,  (192, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 01829   472   NtAllocateVirtualMemory  (192, 0, 0, 1648, 4096, 4, ... 131072, 4096, ) == 0x0
 01830   472   NtWriteVirtualMemory  (192, 0x20000,  (192, 0x20000, "\0\20\0\0p\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0$\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\0:\0<\0\230\5\0\0:\0<\0\324\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0:\0<\0\20\6\0\0\36\0 \0L\6\0\0\0\0\2\0l\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1648, ... 0x0, ) , 1648, ... 0x0, ) == 0x0
 01831   472   NtWriteVirtualMemory  (192, 0x7ffdf010,  (192, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01832   472   NtWriteVirtualMemory  (192, 0x7ffdf1e8,  (192, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 01833   472   NtFreeVirtualMemory  (-1, (0x8f0000), 0, 32768, ... (0x8f0000), 4096, ) == 0x0
 01834   472   NtAllocateVirtualMemory  (192, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 01835   472   NtAllocateVirtualMemory  (192, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0
 01836   472   NtProtectVirtualMemory  (192, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0
 01837   472   NtCreateThread  (0x1f03ff, 0x0, 192, 1241900, 1242620, 1, ... 196, {584, 576}, ) == 0x0
 01838   472   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1420040, 1243720}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1420040, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\25\0\0\0\0\0" ... {168, 196, reply, 0, 464, 472, 1523, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\25\0\0\0\0\0" )  ... {168, 196, reply, 0, 464, 472, 1523, 0}  (24, {168, 196, new_msg, 0, 1312824, 1310720, 1420040, 1243720} "\0\0\0\0\0\0\1\0\2$\370w U\367w\303\0\0\0\304\0\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\25\0\0\0\0\0" ... {168, 196, reply, 0, 464, 472, 1523, 0} "\0\0\0\0\0\0\1\0\0\0\0\0 U\367w\300\0\0\0\304\0\0\0H\2\0\0@\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\25\0\0\0\0\0" )  ) == 0x0
 01839   472   NtResumeThread  (196, ... 1, ) == 0x0
 01840   472   NtClose  (176, ... ) == 0x0
 01841   472   NtClose  (180, ... ) == 0x0
 01842   472   NtQueryInformationProcess  (192, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=584,ParentPid=464,}, 0x0, ) == 0x0
 01843   472   NtUserWaitForInputIdle  (584, 30000, 0, ...
 01844   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01845   472   NtClose  (180, ... ) == 0x0
 01843   472   NtUserWaitForInputIdle  ... ) == 0x0
 01846   472   NtClose  (192, ... ) == 0x0
 01847   472   NtClose  (196, ... ) == 0x0
 01848   472   NtDelayExecution  (0, {-5000000, -1}, ... ) == 0x0
 01849   472   NtTerminateProcess  (0, 0, ... ) == 0x0
 01850   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 01851   472   NtWaitForMultipleObjects  (2, (136, 132, ), 1, 0, 0x0, ... ) == 0x1
 01852   472   NtClose  (132, ... ) == 0x0
 01853   472   NtSetEvent  (136, ... 0x0, ) == 0x0
 01854   472   NtClose  (136, ... ) == 0x0
 01855   472   NtWaitForMultipleObjects  (2, (140, 144, ), 1, 0, 0x0, ... ) == 0x1
 01856   472   NtClose  (144, ... ) == 0x0
 01857   472   NtSetEvent  (140, ... 0x0, ) == 0x0
 01858   472   NtClose  (140, ... ) == 0x0
 01859   472   NtWaitForMultipleObjects  (2, (148, 152, ), 1, 0, 0x0, ... ) == 0x1
 01860   472   NtClose  (152, ... ) == 0x0
 01861   472   NtSetEvent  (148, ... 0x0, ) == 0x0
 01862   472   NtClose  (148, ... ) == 0x0
 01863   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 01864   472   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 01865   472   NtClose  (88, ... ) == 0x0
 01866   472   NtGdiDeleteObjectApp  (638583781, ... ) == 0x1
 01867   472   NtUserGetProcessWindowStation  (... ) == 0x28
 01868   472   NtUserBuildNameList  (40, 256, 1354320, 1244124, ... ) == 0x0
 01869   472   NtUserGetProcessWindowStation  (... ) == 0x28
 01870   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x58
 01871   472   NtUserBuildHwndList  (88, 0, 0, 0, 64, ... (0x100aa, 0x60036, 0x20060, 0x2005c, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100b0, 0x2005e, 0x100ae, 0x100ac, 0x100a2, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 34, ) == 0x0
 01872   472   NtUserQueryWindow  (65706, 0, ... ) == 0x7e8
 01873   472   NtUserQueryWindow  (65706, 1, ... ) == 0x7ec
 01874   472   NtUserQueryWindow  (393270, 0, ... ) == 0x7e8
 01875   472   NtUserQueryWindow  (393270, 1, ... ) == 0x7ec
 01876   472   NtUserQueryWindow  (131168, 0, ... ) == 0x7e8
 01877   472   NtUserQueryWindow  (131168, 1, ... ) == 0x7ec
 01878   472   NtUserQueryWindow  (131164, 0, ... ) == 0x7e8
 01879   472   NtUserQueryWindow  (131164, 1, ... ) == 0x7ec
 01880   472   NtUserQueryWindow  (65696, 0, ... ) == 0x780
 01881   472   NtUserQueryWindow  (65696, 1, ... ) == 0x78c
 01882   472   NtUserQueryWindow  (65662, 0, ... ) == 0x780
 01883   472   NtUserQueryWindow  (65662, 1, ... ) == 0x78c
 01884   472   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 01885   472   NtUserQueryWindow  (65664, 0, ... ) == 0x780
 01886   472   NtUserQueryWindow  (65664, 1, ... ) == 0x78c
 01887   472   NtUserQueryWindow  (65670, 0, ... ) == 0x780
 01888   472   NtUserQueryWindow  (65670, 1, ... ) == 0x78c
 01889   472   NtUserQueryWindow  (65672, 0, ... ) == 0x780
 01890   472   NtUserQueryWindow  (65672, 1, ... ) == 0x78c
 01891   472   NtUserQueryWindow  (65674, 0, ... ) == 0x780
 01892   472   NtUserQueryWindow  (65674, 1, ... ) == 0x78c
 01893   472   NtUserQueryWindow  (65678, 0, ... ) == 0x780
 01894   472   NtUserQueryWindow  (65678, 1, ... ) == 0x78c
 01895   472   NtUserQueryWindow  (65680, 0, ... ) == 0x780
 01896   472   NtUserQueryWindow  (65680, 1, ... ) == 0x78c
 01897   472   NtUserQueryWindow  (65682, 0, ... ) == 0x780
 01898   472   NtUserQueryWindow  (65682, 1, ... ) == 0x78c
 01899   472   NtUserQueryWindow  (65684, 0, ... ) == 0x780
 01900   472   NtUserQueryWindow  (65684, 1, ... ) == 0x78c
 01901   472   NtUserQueryWindow  (65686, 0, ... ) == 0x780
 01902   472   NtUserQueryWindow  (65686, 1, ... ) == 0x78c
 01903   472   NtUserQueryWindow  (65690, 0, ... ) == 0x780
 01904   472   NtUserQueryWindow  (65690, 1, ... ) == 0x78c
 01905   472   NtUserQueryWindow  (65692, 0, ... ) == 0x780
 01906   472   NtUserQueryWindow  (65692, 1, ... ) == 0x78c
 01907   472   NtUserQueryWindow  (65694, 0, ... ) == 0x780
 01908   472   NtUserQueryWindow  (65694, 1, ... ) == 0x78c
 01909   472   NtUserQueryWindow  (65652, 0, ... ) == 0x780
 01910   472   NtUserQueryWindow  (65652, 1, ... ) == 0x78c
 01911   472   NtUserQueryWindow  (65640, 0, ... ) == 0x780
 01912   472   NtUserQueryWindow  (65640, 1, ... ) == 0x78c
 01913   472   NtUserQueryWindow  (196682, 0, ... ) == 0x780
 01914   472   NtUserQueryWindow  (196682, 1, ... ) == 0x78c
 01915   472   NtUserQueryWindow  (65638, 0, ... ) == 0x780
 01916   472   NtUserQueryWindow  (65638, 1, ... ) == 0x78c
 01917   472   NtUserQueryWindow  (196684, 0, ... ) == 0x780
 01918   472   NtUserQueryWindow  (196684, 1, ... ) == 0x78c
 01919   472   NtUserQueryWindow  (196668, 0, ... ) == 0x780
 01920   472   NtUserQueryWindow  (196668, 1, ... ) == 0x78c
 01921   472   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 01922   472   NtUserQueryWindow  (196670, 0, ... ) == 0x780
 01923   472   NtUserQueryWindow  (196670, 1, ... ) == 0x78c
 01924   472   NtUserQueryWindow  (196674, 0, ... ) == 0x780
 01925   472   NtUserQueryWindow  (196674, 1, ... ) == 0x78c
 01926   472   NtUserQueryWindow  (196672, 0, ... ) == 0x780
 01927   472   NtUserQueryWindow  (196672, 1, ... ) == 0x78c
 01928   472   NtUserQueryWindow  (196676, 0, ... ) == 0x780
 01929   472   NtUserQueryWindow  (196676, 1, ... ) == 0x78c
 01930   472   NtUserQueryWindow  (196678, 0, ... ) == 0x780
 01931   472   NtUserQueryWindow  (196678, 1, ... ) == 0x78c
 01932   472   NtUserQueryWindow  (196680, 0, ... ) == 0x780
 01933   472   NtUserQueryWindow  (196680, 1, ... ) == 0x78c
 01934   472   NtUserQueryWindow  (65642, 0, ... ) == 0x780
 01935   472   NtUserQueryWindow  (65642, 1, ... ) == 0x78c
 01936   472   NtUserQueryWindow  (65646, 0, ... ) == 0x780
 01937   472   NtUserQueryWindow  (65646, 1, ... ) == 0x78c
 01938   472   NtUserQueryWindow  (65650, 0, ... ) == 0x780
 01939   472   NtUserQueryWindow  (65650, 1, ... ) == 0x78c
 01940   472   NtUserQueryWindow  (65688, 0, ... ) == 0x780
 01941   472   NtUserQueryWindow  (65688, 1, ... ) == 0x78c
 01942   472   NtUserQueryWindow  (65676, 0, ... ) == 0x780
 01943   472   NtUserQueryWindow  (65676, 1, ... ) == 0x78c
 01944   472   NtUserQueryWindow  (65660, 0, ... ) == 0x780
 01945   472   NtUserQueryWindow  (65660, 1, ... ) == 0x784
 01946   472   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 01947   472   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 01948   472   NtUserQueryWindow  (65724, 0, ... ) == 0x7f0
 01949   472   NtUserQueryWindow  (65724, 1, ... ) == 0x7f4
 01950   472   NtUserQueryWindow  (65722, 0, ... ) == 0x7f0
 01951   472   NtUserQueryWindow  (65722, 1, ... ) == 0x7f4
 01952   472   NtUserQueryWindow  (65720, 0, ... ) == 0x7f0
 01953   472   NtUserQueryWindow  (65720, 1, ... ) == 0x7f4
 01954   472   NtUserQueryWindow  (65718, 0, ... ) == 0x7f0
 01955   472   NtUserQueryWindow  (65718, 1, ... ) == 0x7f4
 01956   472   NtUserQueryWindow  (65716, 0, ... ) == 0x7f0
 01957   472   NtUserQueryWindow  (65716, 1, ... ) == 0x7f4
 01958   472   NtUserQueryWindow  (65714, 0, ... ) == 0x7f0
 01959   472   NtUserQueryWindow  (65714, 1, ... ) == 0x7f4
 01960   472   NtUserQueryWindow  (65712, 0, ... ) == 0x7f0
 01961   472   NtUserQueryWindow  (65712, 1, ... ) == 0x7f4
 01962   472   NtUserQueryWindow  (131166, 0, ... ) == 0x7fc
 01963   472   NtUserQueryWindow  (131166, 1, ... ) == 0x70
 01964   472   NtUserQueryWindow  (65710, 0, ... ) == 0x7f0
 01965   472   NtUserQueryWindow  (65710, 1, ... ) == 0x7f4
 01966   472   NtUserQueryWindow  (65708, 0, ... ) == 0x7e8
 01967   472   NtUserQueryWindow  (65708, 1, ... ) == 0x7ec
 01968   472   NtUserQueryWindow  (65698, 0, ... ) == 0x7d4
 01969   472   NtUserQueryWindow  (65698, 1, ... ) == 0x7d8
 01970   472   NtUserQueryWindow  (65644, 0, ... ) == 0x780
 01971   472   NtUserQueryWindow  (65644, 1, ... ) == 0x7a8
 01972   472   NtUserQueryWindow  (327760, 0, ... ) == 0x780
 01973   472   NtUserQueryWindow  (327760, 1, ... ) == 0x784
 01974   472   NtUserQueryWindow  (262228, 0, ... ) == 0x780
 01975   472   NtUserQueryWindow  (262228, 1, ... ) == 0x784
 01976   472   NtUserQueryWindow  (327758, 0, ... ) == 0x780
 01977   472   NtUserQueryWindow  (327758, 1, ... ) == 0x784
 01978   472   NtUserQueryWindow  (65666, 0, ... ) == 0x780
 01979   472   NtUserQueryWindow  (65666, 1, ... ) == 0x784
 01980   472   NtUserQueryWindow  (65654, 0, ... ) == 0x780
 01981   472   NtUserQueryWindow  (65654, 1, ... ) == 0x784
 01982   472   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 01983   472   NtUserQueryWindow  (65656, 0, ... ) == 0x780
 01984   472   NtUserQueryWindow  (65656, 1, ... ) == 0x784
 01985   472   NtUserQueryWindow  (65658, 0, ... ) == 0x780
 01986   472   NtUserQueryWindow  (65658, 1, ... ) == 0x784
 01987   472   NtUserCloseDesktop  (88, ...
 01988   472   NtClose  (88, ... ) == 0x0
 01987   472   NtUserCloseDesktop  ... ) == 0x1
 01989   472   NtUserGetProcessWindowStation  (... ) == 0x28
 01990   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01991   472   NtUserGetProcessWindowStation  (... ) == 0x28
 01992   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 01993   472   NtGdiDeleteObjectApp  (319423462, ... ) == 0x1
 01994   472   NtGdiDeleteObjectApp  (420086558, ... ) == 0x1
 01995   472   NtClose  (68, ... ) == 0x0
 01996   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 01997   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 01998   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 01999   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 02000   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02001   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 02002   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02003   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 02004   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02005   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 02006   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02007   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 02008   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02009   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 02010   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02011   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 02012   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02013   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 02014   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02015   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 02016   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02017   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 02018   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02019   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 02020   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02021   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 02022   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02023   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 02024   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02025   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 02026   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02027   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 02028   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02029   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 02030   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02031   472   NtUserGetClassInfo  (1999896576, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 02032   472   NtUserUnregisterClass  (1244176, 1999896576, 1244164, ... ) == 0x1
 02033   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 02034   472   NtClose  (128, ... ) == 0x0
 02035   472   NtClose  (172, ... ) == 0x0
 02036   472   NtUnmapViewOfSection  (-1, 0x840000, ... ) == 0x0
 02037   472   NtClose  (80, ... ) == 0x0
 02038   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03b
 02039   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02040   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03d
 02041   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02042   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc03f
 02043   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02044   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc041
 02045   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02046   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc043
 02047   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02048   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc045
 02049   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02050   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc047
 02051   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02052   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc049
 02053   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02054   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04b
 02055   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02056   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04d
 02057   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02058   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc04f
 02059   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02060   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc051
 02061   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02062   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc053
 02063   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02064   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc057
 02065   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02066   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc059
 02067   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02068   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05b
 02069   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02070   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05d
 02071   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02072   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc05f
 02073   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02074   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc017
 02075   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02076   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc019
 02077   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02078   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc018
 02079   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02080   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01a
 02081   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02082   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01c
 02083   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02084   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01e
 02085   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02086   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc01b
 02087   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02088   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc068
 02089   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02090   472   NtUserGetClassInfo  (1905590272, 1244172, 1244124, 1244200, 0, ... ) == 0xc06a
 02091   472   NtUserUnregisterClass  (1244176, 1905590272, 1244164, ... ) == 0x1
 02092   472   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 02093   472   NtClose  (76, ... ) == 0x0
 02094   472   NtClose  (64, ... ) == 0x0
 02095   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x5,}, 4, ... ) == 0x0
 02096   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02097   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02098   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02099   472   NtClose  (168, ... ) == 0x0
 02100   472   NtClose  (84, ... ) == 0x0
 02101   472   NtFreeVirtualMemory  (-1, (0x8d0000), 4096, 32768, ... (0x8d0000), 4096, ) == 0x0
 02102   472   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 472, 4202, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 464, 472, 4202, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0@U\367w\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 472, 4202, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02103   472   NtTerminateProcess  (-1, 0, ...
 02104   472   NtClose  (44, ... ) == 0x0
NtAddAtom(>)	1	NtCreateSemaphore(>)	2	NtUserBuildHwndList(>)	4	NtReleaseSemaphore(>)	18
NtCallbackReturn(>)	1	NtGdiCreateSolidBrush(>)	2	NtWriteVirtualMemory(>)	4	NtSetInformationThread(>)	19
NtConnectPort(>)	1	NtGdiHfontCreate(>)	2	NtGdiGetStockObject(>)	5	NtCreateFile(>)	20
NtContinue(>)	1	NtOpenDirectoryObject(>)	2	NtReadFile(>)	5	NtCreateSection(>)	20
NtCreateProcessEx(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	6	NtWaitForSingleObject(>)	20
NtCreateThread(>)	1	NtQueryInstallUILanguage(>)	2	NtWriteFile(>)	6	NtQueryInformationFile(>)	22
NtDelayExecution(>)	1	NtQueryVirtualMemory(>)	2	NtOpenSymbolicLinkObject(>)	7	NtOpenSection(>)	26
NtDuplicateToken(>)	1	NtReadVirtualMemory(>)	2	NtQuerySymbolicLinkObject(>)	7	NtProtectVirtualMemory(>)	27
NtGdiCreateBitmap(>)	1	NtReleaseMutant(>)	2	NtUserCallNoParam(>)	7	NtQueryKey(>)	27
NtGdiCreatePatternBrushInternal(>)	1	NtTerminateProcess(>)	2	NtOpenProcessToken(>)	8	NtQueryInformationProcess(>)	30
NtGdiInit(>)	1	NtUserCloseDesktop(>)	2	NtQueryDefaultUILanguage(>)	8	NtMapViewOfSection(>)	40
NtGdiQueryFontAssocInfo(>)	1	NtUserCreateWindowEx(>)	2	NtQuerySection(>)	9	NtQueryAttributesFile(>)	40
NtGdiSelectBitmap(>)	1	NtUserDestroyWindow(>)	2	NtQueryVolumeInformationFile(>)	10	NtAllocateVirtualMemory(>)	41
NtOpenKeyedEvent(>)	1	NtUserMessageCall(>)	2	NtSetInformationProcess(>)	10	NtOpenProcessTokenEx(>)	43
NtOpenProcess(>)	1	NtUserWaitForInputIdle(>)	2	NtUserGetWindowDC(>)	10	NtOpenThreadTokenEx(>)	43
NtQueryInformationJobObject(>)	1	NtAdjustPrivilegesToken(>)	3	NtRequestWaitReplyPort(>)	11	NtUserUnregisterClass(>)	46
NtQueryObject(>)	1	NtDuplicateObject(>)	3	NtUserCallOneParam(>)	11	NtUserFindExistingCursorIcon(>)	48
NtQuerySystemTime(>)	1	NtFreeVirtualMemory(>)	3	NtUserSystemParametersInfo(>)	11	NtQueryInformationToken(>)	49
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtFlushInstructionCache(>)	13	NtDeviceIoControlFile(>)	55
NtResumeThread(>)	1	NtGdiDeleteObjectApp(>)	3	NtFsControlFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtSecureConnectPort(>)	1	NtOpenEvent(>)	3	NtQueryDirectoryFile(>)	13	NtOpenFile(>)	66
NtTestAlert(>)	1	NtSetEvent(>)	3	NtEnumerateValueKey(>)	14	NtQuerySystemInformation(>)	77
NtUserBuildNameList(>)	1	NtUserGetObjectInformation(>)	3	NtCreateEvent(>)	15	NtUserGetClassInfo(>)	82
NtUserGetAtomName(>)	1	NtUserOpenDesktop(>)	3	NtQueryDefaultLocale(>)	15	NtUserQueryWindow(>)	112
NtUserGetDC(>)	1	NtUserRegisterWindowMessage(>)	3	NtSetValueKey(>)	15	NtQueryValueKey(>)	123
NtUserGetGUIThreadInfo(>)	1	NtUserRemoveProp(>)	3	NtOpenThreadToken(>)	16	NtOpenKey(>)	238
NtUserGetThreadDesktop(>)	1	NtWaitForMultipleObjects(>)	3	NtQueryDebugFilterState(>)	16	NtClose(>)	323
NtUserSetProp(>)	1	NtCreateMutant(>)	4	NtSetInformationFile(>)	16
NtAccessCheck(>)	2	NtEnumerateKey(>)	4	NtCreateKey(>)	17
NtCreateIoCompletion(>)	2