Summary:


NtAccessCheck(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  19 

NtAddAtom(>)  1 
NtContinue(>)  2 
NtUserBuildHwndList(>)  5 
NtOpenThreadToken(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteFile(>)  5 
NtUnmapViewOfSection(>)  21 

NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtCreateSemaphore(>)  6 
NtCreateKey(>)  22 

NtCreateProcessEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtCreateSection(>)  27 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultLocale(>)  6 
NtQueryInformationFile(>)  27 

NtDeleteValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtOpenSection(>)  29 

NtGdiCreateBitmap(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtWaitForSingleObject(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtReleaseMutant(>)  2 
NtSetInformationFile(>)  8 
NtProtectVirtualMemory(>)  36 

NtGdiSelectBitmap(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtUserUnregisterClass(>)  46 

NtNotifyChangeKey(>)  1 
NtUserCloseDesktop(>)  2 
NtFsControlFile(>)  10 
NtMapViewOfSection(>)  48 

NtOpenKeyedEvent(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtUserDestroyWindow(>)  2 
NtQuerySection(>)  11 
NtQueryInformationProcess(>)  51 

NtQueryInformationJobObject(>)  1 
NtUserMessageCall(>)  2 
NtRequestWaitReplyPort(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtEnumerateValueKey(>)  3 
NtLockFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnlockFile(>)  13 
NtQueryAttributesFile(>)  68 

NtResumeThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtCreateEvent(>)  14 
NtQueryInformationToken(>)  72 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  3 
NtOpenProcessToken(>)  14 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtReadVirtualMemory(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserBuildNameList(>)  1 
NtSetEvent(>)  3 
NtQueryDebugFilterState(>)  16 
NtAllocateVirtualMemory(>)  88 

NtUserGetAtomName(>)  1 
NtUserGetObjectInformation(>)  3 
NtFlushInstructionCache(>)  17 
NtQuerySystemInformation(>)  88 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtFreeVirtualMemory(>)  17 
NtOpenFile(>)  90 

NtUserGetForegroundWindow(>)  1 
NtUserRemoveProp(>)  3 
NtQueryDirectoryFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtReadFile(>)  17 
NtUserQueryWindow(>)  128 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationThread(>)  17 
NtOpenKey(>)  288 

NtUserSetProp(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  18 
NtClose(>)  385 


Trace:
 00001   480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   480   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   480   NtAllocateVirtualMemory  (-1, 0, 0, 2097152, 8192, 4, ... 4456448, 2097152, ) == 0x0
 00005   480   NtAllocateVirtualMemory  (-1, 4456448, 0, 4096, 4096, 4, ... 4456448, 4096, ) == 0x0
 00006   480   NtAllocateVirtualMemory  (-1, 4460544, 0, 8192, 4096, 4, ... 4460544, 8192, ) == 0x0
 00007   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   480   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   480   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   480   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   480   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   480   NtClose  (12, ... ) == 0x0
 00014   480   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   480   NtQueryVolumeInformationFile  (12, 2292424, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   480   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 2292408, ... ) }, 2292408, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   480   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   480   NtClose  (16, ... ) == 0x0
 00021   480   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   480   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   480   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4465464, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 4465464, {12, 0, 0}, 2290592, 44, ... 24, {24, 16, 0, 65536, 2490368, 18677760}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   480   NtClose  (16, ... ) == 0x0
 00026   480   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   480   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   480   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   480   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 460, 480, 1519, 0} "\3609\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ... {28, 56, reply, 0, 460, 480, 1519, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" ... {28, 56, reply, 0, 460, 480, 1519, 0} "\3609\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\35\1\4\0\0\0" )  ) == 0x0
 00032   480   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   480   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   480   NtClose  (16, ... ) == 0x0
 00036   480   NtAllocateVirtualMemory  (-1, 2281472, 0, 4096, 4096, 260, ... 2281472, 4096, ) == 0x0
 00037   480   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   480   NtClose  (28, ... ) == 0x0
 00041   480   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   480   NtClose  (28, ... ) == 0x0
 00045   480   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   480   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   480   NtClose  (28, ... ) == 0x0
 00049   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   480   NtClose  (28, ... ) == 0x0
 00052   480   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 460, 480, 1537, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ... {28, 56, reply, 0, 460, 480, 1537, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\35\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" ... {28, 56, reply, 0, 460, 480, 1537, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\35\18\6\0\0" )  ) == 0x0
 00056   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00057   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00058   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00059   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   480   NtClose  (28, ... ) == 0x0
 00062   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   480   NtClose  (28, ... ) == 0x0
 00065   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   480   NtClose  (28, ... ) == 0x0
 00068   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   480   NtClose  (28, ... ) == 0x0
 00071   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00072   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00073   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00074   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00075   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00076   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00077   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   480   NtClose  (28, ... ) == 0x0
 00080   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   480   NtClose  (28, ... ) == 0x0
 00083   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   480   NtClose  (28, ... ) == 0x0
 00086   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00087   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00088   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00089   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   480   NtAllocateVirtualMemory  (-1, 4468736, 0, 4096, 4096, 4, ... 4468736, 4096, ) == 0x0
 00091   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 2291200, ... ) }, 2291200, ... ) == 0x0
 00094   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00095   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00096   480   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00097   480   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00098   480   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   480   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00101   480   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   480   NtClose  (40, ... ) == 0x0
 00103   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00105   480   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00106   480   NtClose  (40, ... ) == 0x0
 00107   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   480   NtClose  (36, ... ) == 0x0
 00109   480   NtClose  (28, ... ) == 0x0
 00110   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00111   480   NtClose  (32, ... ) == 0x0
 00112   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00113   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00114   480   NtClose  (32, ... ) == 0x0
 00115   480   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00116   480   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00117   480   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00118   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00119   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00120   480   NtClose  (32, ... ) == 0x0
 00121   480   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00122   480   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00123   480   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00124   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00125   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00126   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00127   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 2291200, ... ) }, 2291200, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 2291200, ... ) }, 2291200, ... ) == 0x0
 00131   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   480   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   480   NtClose  (32, ... ) == 0x0
 00135   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   480   NtClose  (28, ... ) == 0x0
 00137   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 2290396, ... ) }, 2290396, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 2290396, ... ) }, 2290396, ... ) == 0x0
 00141   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   480   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   480   NtClose  (28, ... ) == 0x0
 00145   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   480   NtClose  (32, ... ) == 0x0
 00147   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00148   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00149   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00150   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00151   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00152   480   NtClose  (32, ... ) == 0x0
 00153   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00154   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00155   480   NtClose  (32, ... ) == 0x0
 00156   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00157   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00158   480   NtClose  (32, ... ) == 0x0
 00159   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00160   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00161   480   NtClose  (32, ... ) == 0x0
 00162   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 32, ) }, ... 32, ) == 0x0
 00163   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00164   480   NtClose  (32, ... ) == 0x0
 00165   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00166   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00167   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00168   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00169   480   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00170   480   NtClose  (32, ... ) == 0x0
 00171   480   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00172   480   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00173   480   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00174   480   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00175   480   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00176   480   NtClose  (32, ... ) == 0x0
 00177   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00178   480   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00179   480   NtClose  (32, ... ) == 0x0
 00180   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00181   480   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182   480   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   480   NtClose  (32, ... ) == 0x0
 00184   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00185   480   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   480   NtClose  (32, ... ) == 0x0
 00187   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00188   480   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00189   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00191   480   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2295032, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 2295032, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4#\0`\10\260\15\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 460, 480, 1549, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\35\1$\1\0\0" )  ... {28, 56, reply, 0, 460, 480, 1549, 0}  (24, {28, 56, new_msg, 0, 2295032, 1, 24, 2012568566} "\210\6\35\1\0\0\0\0\314\4#\0`\10\260\15\3\0\0\0\234\6\35\1$\1\0\0" ... {28, 56, reply, 0, 460, 480, 1549, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\35\1$\1\0\0" )  ) == 0x0
 00192   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   480   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x640000), 0x0, 1060864, ) == 0x0
 00194   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00195   480   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00196   480   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00197   480   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00198   480   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00199   480   NtClose  (-2147482208, ... ) == 0x0
 00200   480   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 7667712, 4096, ) == 0x0
 00201   480   NtFreeVirtualMemory  (-1, (0x750000), 4096, 32768, ... (0x750000), 4096, ) == 0x0
 00202   480   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00203   480   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00204   480   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   480   NtClose  (-2147482208, ... ) == 0x0
 00206   480   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00207   480   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   480   NtClose  (-2147482208, ... ) == 0x0
 00209   480   NtQueryDefaultLocale  (0, -135984628, ... ) == 0x0
 00210   480   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00211   480   NtUserCallNoParam  (24, ... ) == 0x0
 00212   480   NtGdiCreateCompatibleDC  (0, ...
 00213   480   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 7667712, 4096, ) == 0x0
 00212   480   NtGdiCreateCompatibleDC  ... ) == 0x2b0103fb
 00214   480   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00215   480   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00216   480   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x80503eb
 00217   480   NtGdiCreateSolidBrush  (0, 0, ...
 00218   480   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 10878976, 4096, ) == 0x0
 00217   480   NtGdiCreateSolidBrush  ... ) == 0x67100383
 00219   480   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00220   480   NtGdiCreateCompatibleDC  (0, ... ) == 0xb0103f9
 00221   480   NtGdiSelectBitmap  (184615929, 134546411, ... ) == 0x185000f
 00222   480   NtUserGetThreadDesktop  (480, 0, ... ) == 0x2c
 00223   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00224   480   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00225   480   NtClose  (52, ... ) == 0x0
 00226   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00227   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 673, 128, 0, ... ) == 0x810dc017
 00228   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00229   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 674, 128, 0, ... ) == 0x810dc01c
 00230   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00231   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 675, 128, 0, ... ) == 0x810dc01e
 00232   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00233   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 676, 128, 0, ... ) == 0x810d8002
 00234   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10013
 00235   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 677, 128, 0, ... ) == 0x810dc018
 00236   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00237   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 678, 128, 0, ... ) == 0x810dc01a
 00238   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00239   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 679, 128, 0, ... ) == 0x810dc01d
 00240   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00241   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 681, 128, 0, ... ) == 0x810dc026
 00242   480   NtUserFindExistingCursorIcon  (2289780, 2289796, 2290364, ... ) == 0x10011
 00243   480   NtUserRegisterClassExWOW  (2290300, 2290380, 2290364, 2290396, 680, 128, 0, ... ) == 0x810dc019
 00244   480   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ...
 00245   480   NtAllocateVirtualMemory  (-1, 7831552, 0, 4096, 4096, 32, ... 7831552, 4096, ) == 0x0
 00244   480   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00246   480   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc022
 00247   480   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc023
 00248   480   NtUserRegisterClassExWOW  (2290252, 2290328, 2290344, 2290316, 0, 130, 0, ... ) == 0x810dc024
 00249   480   NtUserRegisterClassExWOW  (2290252, 2290332, 2290316, 2290348, 0, 128, 0, ... ) == 0x810dc025
 00250   480   NtCallbackReturn  (0, 0, 0, ...
 00251   480   NtGdiInit  (... ) == 0x1
 00252   480   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00253   480   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00254   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00255   480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10944512, 65536, ) == 0x0
 00256   480   NtAllocateVirtualMemory  (-1, 10944512, 0, 4096, 4096, 4, ... 10944512, 4096, ) == 0x0
 00257   480   NtAllocateVirtualMemory  (-1, 10948608, 0, 8192, 4096, 4, ... 10948608, 8192, ) == 0x0
 00258   480   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00259   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa80000), 0x0, 12288, ) == 0x0
 00260   480   NtClose  (52, ... ) == 0x0
 00261   480   NtAllocateVirtualMemory  (-1, 10956800, 0, 4096, 4096, 4, ... 10956800, 4096, ) == 0x0
 00262   480   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00264   480   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00265   480   NtClose  (52, ... ) == 0x0
 00266   480   NtQueryDefaultUILanguage  (2290332, ...
 00267   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00269   480   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   480   NtClose  (-2147482208, ... ) == 0x0
 00271   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00272   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   480   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00274   480   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   480   NtClose  (-2147482196, ... ) == 0x0
 00276   480   NtClose  (-2147482208, ... ) == 0x0
 00266   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   480   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00279   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00280   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00281   480   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa90000), 0x0, 8323072, ) == 0x0
 00282   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   480   NtQueryDefaultUILanguage  (2013024600, ...
 00284   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00285   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00286   480   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   480   NtClose  (-2147482208, ... ) == 0x0
 00288   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00289   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   480   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00291   480   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   480   NtClose  (-2147482196, ... ) == 0x0
 00293   480   NtClose  (-2147482208, ... ) == 0x0
 00283   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00294   480   NtAllocateVirtualMemory  (-1, 2277376, 0, 4096, 4096, 260, ... 2277376, 4096, ) == 0x0
 00295   480   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00296   480   NtQueryDefaultLocale  (1, 2288368, ... ) == 0x0
 00297   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2289224, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2289224, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1550, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365 (24, {128, 156, new_msg, 0, 2289224, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1550, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" )  ... {128, 156, reply, 0, 460, 480, 1550, 0}  (24, {128, 156, new_msg, 0, 2289224, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1550, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365 (24, {128, 156, new_msg, 0, 2289224, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1550, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\14\0\0\0\377\377\377\377\0\0\0\0\20\311\340\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0H\365"\0\0\0\0\0" )  ) == 0x0
 00299   480   NtClose  (52, ... ) == 0x0
 00300   480   NtClose  (56, ... ) == 0x0
 00301   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00302   480   NtUnmapViewOfSection  (-1, 0x22f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00303   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00304   480   NtAllocateVirtualMemory  (-1, 4472832, 0, 4096, 4096, 4, ... 4472832, 4096, ) == 0x0
 00305   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00306   480   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   480   NtClose  (56, ... ) == 0x0
 00308   480   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2287452, ... ) }, 2287452, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00314   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2288044, ... ) }, 2288044, ... ) == 0x0
 00316   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00317   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00319   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00320   480   NtClose  (52, ... ) == 0x0
 00321   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 921600, ) == 0x0
 00322   480   NtClose  (60, ... ) == 0x0
 00323   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00324   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00325   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00326   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00327   480   NtClose  (60, ... ) == 0x0
 00328   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00329   480   NtClose  (52, ... ) == 0x0
 00330   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00331   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00332   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00333   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00334   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00335   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00336   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00337   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00338   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00339   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00340   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00341   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00342   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   480   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   480   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   480   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   480   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 2289228, ... ) , 42, 2289228, ... ) == 0x0
 00352   480   NtQueryDefaultUILanguage  (2287944, ...
 00353   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00354   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00355   480   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00356   480   NtClose  (-2147482208, ... ) == 0x0
 00357   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00358   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   480   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00360   480   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   480   NtClose  (-2147482196, ... ) == 0x0
 00362   480   NtClose  (-2147482208, ... ) == 0x0
 00352   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00363   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286796, ... ) }, 2286796, ... ) == 0x0
 00365   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00366   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00367   480   NtClose  (52, ... ) == 0x0
 00368   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 4096, ) == 0x0
 00369   480   NtClose  (60, ... ) == 0x0
 00370   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00371   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 2286436, ... ) }, 2286436, ... ) == 0x0
 00372   480   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 2287136,  (0x80100080, {24, 0, 0x40, 0, 2287136, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00373   480   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00374   480   NtClose  (60, ... ) == 0x0
 00375   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa90000), {0, 0}, 4096, ) == 0x0
 00376   480   NtClose  (52, ... ) == 0x0
 00377   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00378   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00379   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00380   480   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa90000), 0x0, 4096, ) == 0x0
 00381   480   NtQueryInformationFile  (52, 2286756, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00382   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2286836, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2286836, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1551, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" ) \0\0\0\0\0 (24, {128, 156, new_msg, 0, 2286836, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1551, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" ) h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353 (24, {128, 156, new_msg, 0, 2286836, 1, 96, 0} "\210\6\35\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1551, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\35\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\35\1\0\0\0\0\0\0\0\0\364\353"\0\0\0\0\0" )  ) == 0x0
 00384   480   NtClose  (52, ... ) == 0x0
 00385   480   NtClose  (60, ... ) == 0x0
 00386   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 00387   480   NtUnmapViewOfSection  (-1, 0x22ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00388   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00389   480   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00390   480   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00391   480   NtUserGetDC  (0, ... ) == 0x1010053
 00392   480   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00393   480   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00394   480   NtUserSystemParametersInfo  (66, 12, 2289248, 0, ... ) == 0x1
 00395   480   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00396   480   NtAccessCheck  (4474968, 60, 0x1, 2288652, 2288596, 56, 2288680, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00397   480   NtClose  (60, ... ) == 0x0
 00398   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00399   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00400   480   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00401   480   NtClose  (60, ... ) == 0x0
 00402   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00403   480   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 00404   480   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00405   480   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   480   NtClose  (52, ... ) == 0x0
 00407   480   NtUserSystemParametersInfo  (41, 500, 2288748, 0, ... ) == 0x1
 00408   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00409   480   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00411   480   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   480   NtClose  (64, ... ) == 0x0
 00413   480   NtClose  (52, ... ) == 0x0
 00414   480   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00415   480   NtUserSystemParametersInfo  (4130, 0, 2289272, 0, ... ) == 0x1
 00416   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00417   480   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00418   480   NtClose  (52, ... ) == 0x0
 00419   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00420   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc03b
 00421   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc03d
 00422   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00423   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc03f
 00424   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00425   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc041
 00426   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00427   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc043
 00428   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc045
 00429   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00430   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc047
 00431   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00432   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc049
 00433   480   NtUserGetClassInfo  (1905590272, 2289168, 2289120, 2289196, 0, ... ) == 0xc049
 00434   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00435   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc04b
 00436   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00437   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc04d
 00438   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00439   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc04f
 00440   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc051
 00441   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00442   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc053
 00443   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00444   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc055
 00445   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc057
 00446   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00447   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc059
 00448   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10013
 00449   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc05b
 00450   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00451   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc05d
 00452   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00453   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc05f
 00454   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00455   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc017
 00456   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00457   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc019
 00458   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10013
 00459   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ... ) == 0x810dc018
 00460   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00461   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc01a
 00462   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00463   480   NtUserRegisterClassExWOW  (2289004, 2289084, 2289068, 2289100, 0, 384, 0, ...
 00464   480   NtAllocateVirtualMemory  (-1, 7835648, 0, 4096, 4096, 32, ... 7835648, 4096, ) == 0x0
 00463   480   NtUserRegisterClassExWOW  ... ) == 0x810dc01c
 00465   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00466   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc01e
 00467   480   NtUserFindExistingCursorIcon  (2288552, 2288568, 2289136, ... ) == 0x10011
 00468   480   NtUserRegisterClassExWOW  (2289064, 2289144, 2289128, 2289160, 0, 384, 0, ... ) == 0x810dc01b
 00469   480   NtUserFindExistingCursorIcon  (2288548, 2288564, 2289132, ... ) == 0x10011
 00470   480   NtUserRegisterClassExWOW  (2289060, 2289140, 2289124, 2289156, 0, 384, 0, ... ) == 0x810dc068
 00471   480   NtUserFindExistingCursorIcon  (2288556, 2288572, 2289140, ... ) == 0x10011
 00472   480   NtUserRegisterClassExWOW  (2289008, 2289088, 2289072, 2289104, 0, 384, 0, ... ) == 0x810dc06a
 00473   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00474   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00475   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc03b
 00476   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00477   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc03d
 00478   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00479   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00480   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc03f
 00481   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00482   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00483   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc041
 00484   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00485   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00486   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc043
 00487   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00488   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc045
 00489   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00490   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00491   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc047
 00492   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00493   480   NtUserFindExistingCursorIcon  (2291448, 2291464, 2292032, ... ) == 0x10011
 00494   480   NtUserRegisterClassExWOW  (2291900, 2291980, 2291964, 2291996, 0, 384, 0, ... ) == 0x810dc049
 00495   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00496   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00497   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc04b
 00498   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00499   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00500   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc04d
 00501   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00502   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00503   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc04f
 00504   480   NtUserGetClassInfo  (0, 2292072, 2292024, 2292100, 0, ... ) == 0x0
 00505   480   NtUserRegisterClassExWOW  (2291908, 2291988, 2291972, 2292004, 0, 384, 0, ... ) == 0x810dc051
 00506   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00507   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00508   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc053
 00509   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00510   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00511   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc055
 00512   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc057
 00513   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00514   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00515   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc059
 00516   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00517   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10013
 00518   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc05b
 00519   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00520   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00521   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc05d
 00522   480   NtUserGetClassInfo  (0, 2292068, 2292020, 2292096, 0, ... ) == 0x0
 00523   480   NtUserFindExistingCursorIcon  (2291452, 2291468, 2292036, ... ) == 0x10011
 00524   480   NtUserRegisterClassExWOW  (2291904, 2291984, 2291968, 2292000, 0, 384, 0, ... ) == 0x810dc05f
 00525   480   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {460, 0}, ... 52, ) == 0x0
 00526   480   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00527   480   NtClose  (52, ... ) == 0x0
 00528   480   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00529   480   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00530   480   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00531   480   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00532   480   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   480   NtClose  (52, ... ) == 0x0
 00534   480   NtUserSystemParametersInfo  (41, 500, 2291708, 0, ... ) == 0x1
 00535   480   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00536   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc03b
 00537   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc03d
 00538   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc03f
 00539   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc041
 00540   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc043
 00541   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc045
 00542   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc047
 00543   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc049
 00544   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc04b
 00545   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc04d
 00546   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc04f
 00547   480   NtUserGetClassInfo  (1999896576, 2292120, 2292072, 2292148, 0, ... ) == 0xc051
 00548   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc053
 00549   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc055
 00550   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc059
 00551   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc05b
 00552   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc05d
 00553   480   NtUserGetClassInfo  (1999896576, 2292116, 2292068, 2292144, 0, ... ) == 0xc05f
 00554   480   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00555   480   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00556   480   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00557   480   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00558   480   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00559   480   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00560   480   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00561   480   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00562   480   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00563   480   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00564   480   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00565   480   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00566   480   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00567   480   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00568   480   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00569   480   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00570   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00572   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00573   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00574   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11206656, 262144, ) == 0x0
 00575   480   NtAllocateVirtualMemory  (-1, 11206656, 0, 4096, 4096, 4, ... 11206656, 4096, ) == 0x0
 00576   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00577   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11468800, 262144, ) == 0x0
 00578   480   NtAllocateVirtualMemory  (-1, 11468800, 0, 4096, 4096, 4, ... 11468800, 4096, ) == 0x0
 00579   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00580   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11730944, 262144, ) == 0x0
 00581   480   NtAllocateVirtualMemory  (-1, 11730944, 0, 4096, 4096, 4, ... 11730944, 4096, ) == 0x0
 00582   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583   480   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 11993088, 262144, ) == 0x0
 00584   480   NtAllocateVirtualMemory  (-1, 11993088, 0, 4096, 4096, 4, ... 11993088, 4096, ) == 0x0
 00585   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00586   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00587   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00589   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 2287948, ... ) }, 2287948, ... ) == 0x0
 00590   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00591   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 64, ) == 0x0
 00592   480   NtClose  (52, ... ) == 0x0
 00593   480   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbb0000), 0x0, 90112, ) == 0x0
 00594   480   NtClose  (64, ... ) == 0x0
 00595   480   NtUnmapViewOfSection  (-1, 0xbb0000, ... ) == 0x0
 00596   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 2288264, ... ) }, 2288264, ... ) == 0x0
 00597   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00598   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 52, ) == 0x0
 00599   480   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00600   480   NtClose  (64, ... ) == 0x0
 00601   480   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00602   480   NtClose  (52, ... ) == 0x0
 00603   480   NtQueryDefaultLocale  (1, 2289952, ... ) == 0x0
 00604   480   NtAllocateVirtualMemory  (-1, 11210752, 0, 4096, 4096, 4, ... 11210752, 4096, ) == 0x0
 00605   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00606   480   NtClose  (52, ... ) == 0x0
 00607   480   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   480   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00612   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00613   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   480   NtAllocateVirtualMemory  (-1, 4476928, 0, 4096, 4096, 4, ... 4476928, 4096, ) == 0x0
 00615   480   NtAllocateVirtualMemory  (-1, 4481024, 0, 4096, 4096, 4, ... 4481024, 4096, ) == 0x0
 00616   480   NtAllocateVirtualMemory  (-1, 4485120, 0, 4096, 4096, 4, ... 4485120, 4096, ) == 0x0
 00617   480   NtAllocateVirtualMemory  (-1, 4489216, 0, 4096, 4096, 4, ... 4489216, 4096, ) == 0x0
 00618   480   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00619   480   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 2292108, 0,  (0x1f0003, {24, 52, 0x80, 2292108, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00620   480   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00621   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00622   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00623   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00624   480   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00625   480   NtClose  (68, ... ) == 0x0
 00626   480   NtAllocateVirtualMemory  (-1, 4493312, 0, 4096, 4096, 4, ... 4493312, 4096, ) == 0x0
 00627   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00630   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00631   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00632   480   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   480   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   480   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   480   NtClose  (68, ... ) == 0x0
 00636   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00637   480   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   480   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   480   NtClose  (68, ... ) == 0x0
 00640   480   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   480   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00642   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   480   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   480   NtAllocateVirtualMemory  (-1, 4497408, 0, 8192, 4096, 4, ... 4497408, 8192, ) == 0x0
 00646   480   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00647   480   NtQueryDefaultUILanguage  (2290344, ...
 00648   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00649   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00650   480   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00651   480   NtClose  (-2147482208, ... ) == 0x0
 00652   480   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00653   480   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   480   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00655   480   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   480   NtClose  (-2147482196, ... ) == 0x0
 00657   480   NtClose  (-2147482208, ... ) == 0x0
 00647   480   NtQueryDefaultUILanguage  ... ) == 0x0
 00658   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00660   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00661   480   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xbb0000), 0x0, 593920, ) == 0x0
 00662   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   480   NtQueryDefaultLocale  (1, 2288380, ... ) == 0x0
 00664   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   480   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1552, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1552, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ... {128, 156, reply, 0, 460, 480, 1552, 0}  (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1552, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ) \0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365 (24, {128, 156, new_msg, 0, 2289236, 1, 96, 0} "\210\6\35\1\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" ... {128, 156, reply, 0, 460, 480, 1552, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361"\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\35\1H\0\0\0\377\377\377\377\0\0\0\0P\275\302\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\35\1\0\0\0\0\0\0\0\0T\365"\0\0\0\0\0" )  ) == 0x0
 00666   480   NtClose  (72, ... ) == 0x0
 00667   480   NtClose  (76, ... ) == 0x0
 00668   480   NtUnmapViewOfSection  (-1, 0xbb0000, ... ) == 0x0
 00669   480   NtUnmapViewOfSection  (-1, 0x22f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00670   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00671   480   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00673   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00674   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 2286920, ... ) }, 2286920, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00676   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00677   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00678   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 2287512, ... ) }, 2287512, ... ) == 0x0
 00679   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00680   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00681   480   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00682   480   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00683   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00684   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 88, ) }, ... 88, ) == 0x0
 00685   480   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00686   480   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00687   480   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00688   480   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00689   480   NtTestAlert  (... ) == 0x0
 00690   480   NtContinue  (2293040, 1, ...
 00691   480   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x404118,}, 4, ... ) == 0x0
 00692   480   NtQueryPerformanceCounter  (... {92955785, 0}, {3579545, 0}, ) == 0x0
 00693   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00694   480   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 12255232, 65536, ) == 0x0
 00695   480   NtAllocateVirtualMemory  (-1, 12255232, 0, 4096, 4096, 4, ... 12255232, 4096, ) == 0x0
 00696   480   NtAllocateVirtualMemory  (-1, 12259328, 0, 8192, 4096, 4, ... 12259328, 8192, ) == 0x0
 00697   480   NtAllocateVirtualMemory  (-1, 12267520, 0, 4096, 4096, 4, ... 12267520, 4096, ) == 0x0
 00698   480   NtAllocateVirtualMemory  (-1, 12271616, 0, 4096, 4096, 4, ... 12271616, 4096, ) == 0x0
 00699   480   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 12320768, 4096, ) == 0x0
 00700   480   NtProtectVirtualMemory  (-1, (0xbc0000), 6, 64, ...
 00701   480   NtContinue  (-135987412, 0, ...
 00700   480   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00702   480   NtFreeVirtualMemory  (-1, (0xbc0000), 0, 32768, ... (0xbc0000), 4096, ) == 0x0
 00703   480   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00704   480   NtDeleteValueKey  (100,  (100, "Z", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   480   NtClose  (100, ... ) == 0x0
 00706   480   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 2289928,  (0x40100080, {24, 0, 0x42, 0, 2289928, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00707   480   NtClose  (-2147482208, ... ) == 0x0
 00706   480   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00708   480   NtQueryVolumeInformationFile  (100, 2290032, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00709   480   NtAllocateVirtualMemory  (-1, 12275712, 0, 8192, 4096, 4, ... 12275712, 8192, ) == 0x0
 00710   480   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00711   480   NtClose  (100, ... ) == 0x0
 00712   480   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 2283628, ... ) }, 2283628, ... ) == 0x0
 00714   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00715   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00716   480   NtClose  (100, ... ) == 0x0
 00717   480   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 262144, ) == 0x0
 00718   480   NtClose  (104, ... ) == 0x0
 00719   480   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 00720   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00721   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00722   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00723   480   NtAllocateVirtualMemory  (-1, 4505600, 0, 4096, 4096, 4, ... 4505600, 4096, ) == 0x0
 00724   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 104, {status=0x0, info=0}, ) }, 7, 16, ... 104, {status=0x0, info=0}, ) == 0x0
 00725   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262VBM"\321\211}\213\355\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \321\211}\213\355\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 00726   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00727   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00728   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00729   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00730   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00731   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00732   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00733   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00734   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\333\254\376\207\360\322\234\30\347r\10\366g\257hI\36\276\266\236q2\214!\250`\234\266\16\327\34\350\300IV$\23\314\177%\325\27\261\270\204\332\346\367n\225\212\230\345\203wR\252\5\330M\357J\320\263?M\352\252\340@\321x\211\264\370X\17W+\205", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\333\254\376\207\360\322\234\30\347r\10\366g\257hI\36\276\266\236q2\214!\250`\234\266\16\327\34\350\300IV$\23\314\177%\325\27\261\270\204\332\346\367n\225\212\230\345\203wR\252\5\330M\357J\320\263?M\352\252\340@\321x\211\264\370X\17W+\205", 80, ... ) , 80, ... ) == 0x0
 00735   480   NtClose  (-2147482208, ... ) == 0x0
 00725   480   NtDeviceIoControlFile  ... {status=0x0, info=256}, " ... {status=0x0, info=256}, ""\273\323o*\355\264\312\257\251^\3337\14\361K\177\326\254\216\241\201bA\267\201\242\223:\342\365\236\27\327\351&\275'\244\354\37\321\323'\361J#\24<\365~\305:\245?lg\346\222%T\6\214\213\235\346\313\220:\364\343\2731\37\235\3047<\30\21E\310\216\236\27Qa(\262\20E#\227FC\363\364 ;.\232\353\250\353\372\202R2\257"?\237\326=$"\343\314ds\351\367\212\242r\240T\244\302X\34\374\225\4\217\336\12\233\216.\353h&\321\367 \341a\2104\36X\241\223.\354!\25\224#\305J\256\331P^q\250\311\267\211\2061(&\332\320Z\203\22z\235\360\332\367\342E1j\5\370I\214\5W\217\356\230\244\236\271\236\235p5\177\363=\14\300\207\2/B'\276Od\210\25"\242\31\271\2\344\213J0\31+|\256\223\352M\2302\301\211n=\\301\247\236h\22M5\205\355\344\3\342", ) ?\237\326=$ ... {status=0x0, info=256}, ""\273\323o*\355\264\312\257\251^\3337\14\361K\177\326\254\216\241\201bA\267\201\242\223:\342\365\236\27\327\351&\275'\244\354\37\321\323'\361J#\24<\365~\305:\245?lg\346\222%T\6\214\213\235\346\313\220:\364\343\2731\37\235\3047<\30\21E\310\216\236\27Qa(\262\20E#\227FC\363\364 ;.\232\353\250\353\372\202R2\257"?\237\326=$"\343\314ds\351\367\212\242r\240T\244\302X\34\374\225\4\217\336\12\233\216.\353h&\321\367 \341a\2104\36X\241\223.\354!\25\224#\305J\256\331P^q\250\311\267\211\2061(&\332\320Z\203\22z\235\360\332\367\342E1j\5\370I\214\5W\217\356\230\244\236\271\236\235p5\177\363=\14\300\207\2/B'\276Od\210\25"\242\31\271\2\344\213J0\31+|\256\223\352M\2302\301\211n=\\301\247\236h\22M5\205\355\344\3\342", ) \242\31\271\2\344\213J0\31+|\256\223\352M\2302\301\211n=\\301\247\236h\22M5\205\355\344\3\342", ) == 0x0
 00736   480   NtAllocateVirtualMemory  (-1, 4509696, 0, 16384, 4096, 4, ... 4509696, 16384, ) == 0x0
 00737   480   NtUserRegisterClassExWOW  (2285712, 2285792, 2285776, 2285808, 0, 384, 0, ... ) == 0x810dc038
 00738   480   NtUserGetAtomName  (49208, 2284476, ... ) == 0x15
 00739   480   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00740   480   NtAllocateVirtualMemory  (-1, 2273280, 0, 4096, 4096, 260, ... 2273280, 4096, ) == 0x0
 00741   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2282000, ... ) }, 2282000, ... ) == 0x0
 00742   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00743   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00744   480   NtClose  (100, ... ) == 0x0
 00745   480   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xbc0000), 0x0, 204800, ) == 0x0
 00746   480   NtClose  (108, ... ) == 0x0
 00747   480   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 00748   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2282316, ... ) }, 2282316, ... ) == 0x0
 00749   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00750   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00751   480   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00752   480   NtClose  (108, ... ) == 0x0
 00753   480   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00754   480   NtClose  (100, ... ) == 0x0
 00755   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00756   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00757   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00758   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00759   480   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00760   480   NtClose  (100, ... ) == 0x0
 00761   480   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00762   480   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 00763   480   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   480   NtClose  (108, ... ) == 0x0
 00765   480   NtClose  (100, ... ) == 0x0
 00766   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00767   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00768   480   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00769   480   NtClose  (100, ... ) == 0x0
 00770   480   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00771   480   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00772   480   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   480   NtClose  (108, ... ) == 0x0
 00774   480   NtClose  (100, ... ) == 0x0
 00775   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 2281816, ... ) }, 2281816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 2281816, ... ) }, 2281816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 2281816, ... ) }, 2281816, ... ) == 0x0
 00778   480   NtUserGetProcessWindowStation  (... ) == 0x28
 00779   480   NtUserGetObjectInformation  (40, 2, 0, 0, 2284112, ... ) == 0x0
 00780   480   NtUserGetObjectInformation  (40, 2, 4522064, 16, 2284112, ... ) == 0x1
 00781   480   NtUserGetGUIThreadInfo  (480, 2284068, ... ) == 0x1
 00782   480   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 2283888, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 2283888, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 00783   480   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 460, 480, 1554, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1554, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00784   480   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1555, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 460, 480, 1555, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1555, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00785   480   NtUserCallNoParam  (29, ...
 00786   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2281360, ... ) }, 2281360, ... ) == 0x0
 00785   480   NtUserCallNoParam  ... ) == 0x0
 00787   480   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00788   480   NtGdiHfontCreate  (2283440, 356, 0, 0, 4494024, ... ) == 0xb0a03fd
 00789   480   NtGdiHfontCreate  (2283440, 356, 0, 0, 4494016, ... ) == 0x80a03ee
 00790   480   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1556, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 460, 480, 1556, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 460, 480, 1556, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00791   480   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xbc0000), {0, 0}, 331776, ) == 0x0
 00792   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00793   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00794   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00795   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00796   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00797   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00798   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00799   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00800   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00801   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00802   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00803   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00804   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00805   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00806   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00807   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00808   480   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00809   480   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x31003e0
 00810   480   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00811   480   NtUserCallNoParam  (29, ...
 00812   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2280804, ... ) }, 2280804, ... ) == 0x0
 00811   480   NtUserCallNoParam  ... ) == 0x0
 00813   480   NtUserCallNoParam  (29, ...
 00814   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 2280800, ... ) }, 2280800, ... ) == 0x0
 00813   480   NtUserCallNoParam  ... ) == 0x0
 00815   480   NtUserMessageCall  (0x200b0, WM_NCCREATE, 0x0, 0x22db68, 0, 670, 0, ... ) == 0x1
 00816   480   NtUserMessageCall  (0x200b0, WM_NCCALCSIZE, 0x0, 0x22db90, 0, 670, 0, ... ) == 0x0
 00817   480   NtUserSetProp  (131248, 43288, -1, ... ) == 0x1
 00739   480   NtUserCreateWindowEx  ... ) == 0x200b0
 00818   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253\377P\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00819   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00820   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00821   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00822   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00823   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00824   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00825   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00826   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00827   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\17a\337\232@i\206j\246\223\300\235\205\223\343i\\1\207\236\350\362C\251\4j\247+\345\241\216\255\234\331\33\371\303$x\340*E\300\317\263\377\376\342\360U, 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\17a\337\232@i\206j\246\223\300\235\205\223\343i\\1\207\236\350\362C\251\4j\247+\345\241\216\255\234\331\33\371\303$x\340*E\300\317\263\377\376\342\360U, 80, ... ) , 80, ... ) == 0x0
 00828   480   NtClose  (-2147482208, ... ) == 0x0
 00818   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\212\246\347\367\235\5J\231\245=\341\304\365mQ\13\266\2540\363\24\206\345\247\334\243\324t()\261\341\353\263i\17\36\340\361j^\237\305\352L\277\7d\373\214\0F\35\345\21"-r\3m\375_\30\223^\366\22(\11\227\34{\344\366\365\343\321<\217g\375\17g\26\246\317y\177\270\334\250\330\205\351\332\365Wq\20\232}\366S\373\333P\3148\271\317T\346._e\221\221\301\256\215\341\252\21\266\320Ur\313\263\325*\374\236\371 {\336\3532gf<\7\5\213\17Z\274-\215\201\34\253R\255\342\33\23\0\2000\345U\374=\253G\347\222\250\24\202\312\351\2601e\335B\341+c\225\250\32AU$\23\346o\257\240\306\16\347/]z\251\6\260\30\354h\255\325Vo\326\277\30<:\216\233\12Z\262\213\273@\313i\354\211\205\356r\353ze)\223:\304)\357\300\212f]&4w\263\204;i\206\332#\266\30\331\203", ) -r\3m\375_\30\223^\366\22(\11\227\34{\344\366\365\343\321<\217g\375\17g\26\246\317y\177\270\334\250\330\205\351\332\365Wq\20\232}\366S\373\333P\3148\271\317T\346._e\221\221\301\256\215\341\252\21\266\320Ur\313\263\325*\374\236\371 {\336\3532gf<\7\5\213\17Z\274-\215\201\34\253R\255\342\33\23\0\2000\345U\374=\253G\347\222\250\24\202\312\351\2601e\335B\341+c\225\250\32AU$\23\346o\257\240\306\16\347/]z\251\6\260\30\354h\255\325Vo\326\277\30<:\216\233\12Z\262\213\273@\313i\354\211\205\356r\353ze)\223:\304)\357\300\212f]&4w\263\204;i\206\332#\266\30\331\203", ) == 0x0
 00829   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00830   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00831   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00832   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00833   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00834   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00835   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00836   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00837   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00838   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\276j\217[W\253\302*/|<\362m$\223V\354\215\265\35\303]\233\245\10\30) h\2744\\354t|)\210\322M, 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\276j\217[W\253\302*/|<\362m$\223V\354\215\265\35\303]\233\245\10\30) h\2744\\354t|)\210\322M, 80, ... ) , 80, ... ) == 0x0
 00839   480   NtClose  (-2147482208, ... ) == 0x0
 00829   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "f>\330\374\335\267\352\341S\37\317-\177\354\265o&\336mL47;\253\254\364C\266\215\350r\260\2716\7\365\235\254\5k\342\233P\273 \357\264\221\313\276$\10\234X\212\17\376;z\351\32\272\5)\26#]Ti\217\0U\302YY\221\17\316\334\327\344\215\241,%\363\222H\263c\207\375\220\21793\35\252\376\23**\235\240\2bF\222o,\270\257\10E\303\202\311\242\306\254b\214\200\274\363#&Y\217\347\352\360ln\27\327\3\335\5\23\347\207UC"\330\306"\216\14\216\376d\222\3\303\371\354[h\247T\305l\321\27\317\307h;\13\270YKI\310P\216\325\270O\240;\341aY\262T\260\261{\367si\352\270\225B\255\232\14`\242\307\232[\33\17s\261\230\372{\16\310\262sUK}\333\337n+P^\367\200\240Al'\267\264e;\227\200\255xu\202\227\221\234\251\327\375N\22l|\351\214\354", ) \330\306 ... {status=0x0, info=256}, "f>\330\374\335\267\352\341S\37\317-\177\354\265o&\336mL47;\253\254\364C\266\215\350r\260\2716\7\365\235\254\5k\342\233P\273 \357\264\221\313\276$\10\234X\212\17\376;z\351\32\272\5)\26#]Ti\217\0U\302YY\221\17\316\334\327\344\215\241,%\363\222H\263c\207\375\220\21793\35\252\376\23**\235\240\2bF\222o,\270\257\10E\303\202\311\242\306\254b\214\200\274\363#&Y\217\347\352\360ln\27\327\3\335\5\23\347\207UC"\330\306"\216\14\216\376d\222\3\303\371\354[h\247T\305l\321\27\317\307h;\13\270YKI\310P\216\325\270O\240;\341aY\262T\260\261{\367si\352\270\225B\255\232\14`\242\307\232[\33\17s\261\230\372{\16\310\262sUK}\333\337n+P^\367\200\240Al'\267\264e;\227\200\255xu\202\227\221\234\251\327\375N\22l|\351\214\354", ) , ) == 0x0
 00840   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\36\301K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00841   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00842   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00843   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00844   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00845   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00846   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00847   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00848   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00849   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\251\217\314\204\376\245\7Y9\256\330\234\242w%/\241@2\307\203*\265T\271Y*\375XV\227#\316\223\214\316\264.\370<\321\222\252\311Z\235v\5\340\234z\177\364*\365\365F\336\362\324lWX\252rb&\355r(+\335\241\377\255\33wjx\322", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\251\217\314\204\376\245\7Y9\256\330\234\242w%/\241@2\307\203*\265T\271Y*\375XV\227#\316\223\214\316\264.\370<\321\222\252\311Z\235v\5\340\234z\177\364*\365\365F\336\362\324lWX\252rb&\355r(+\335\241\377\255\33wjx\322", 80, ... ) , 80, ... ) == 0x0
 00850   480   NtClose  (-2147482208, ... ) == 0x0
 00840   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\233\214\255\331\177\251^\355\255[]\201\2141\361\311\277\344\247\15\366<\240\301\342C\225\261\302\333\206\342Cv\300\227\216DI$Q\253\232\225\333\361Z\14\213\320\205\344[\7\244\326\373k\14\362mT\336\277\224G4\341\300\20\355\360\354\27\327\313?\256\313T\313\243\332\343JY0\231t\347\243&Cy\220%\25\11Qz\321\200\376lo\366\344n6\362\262/@\302\243\245V\261\13 d\262\2i\300\334\236S\312\354G\32\365\34s'\202]u$)\371\235&j\312\25s\345\246\334k\10=\357\2160-'(\317JT\177\377U\2467U\23\275\224\24\31\356\262\270\220\204u\1\242_fc\302\314\34\307tgk\23\256\273\376S\276,\34j\310r\255\375\204\22\374ERp\231\214)\23\325\31s\217\340\215\3O\23\314\307\334S]\262[k:\252\22\330\240D\31"G", ) '\202]u$)\371\235&j\312\25s\345\246\334k\10=\357\2160-'(\317JT\177\377U\2467U\23\275\224\24\31\356\262\270\220\204u\1\242_fc\302\314\34\307tgk\23\256\273\376S\276,\34j\310r\255\375\204\22\374ERp\231\214)\23\325\31s\217\340\215\3O\23\314\307\334S]\262[k:\252\22\330\240D\31 ... {status=0x0, info=256}, "\233\214\255\331\177\251^\355\255[]\201\2141\361\311\277\344\247\15\366<\240\301\342C\225\261\302\333\206\342Cv\300\227\216DI$Q\253\232\225\333\361Z\14\213\320\205\344[\7\244\326\373k\14\362mT\336\277\224G4\341\300\20\355\360\354\27\327\313?\256\313T\313\243\332\343JY0\231t\347\243&Cy\220%\25\11Qz\321\200\376lo\366\344n6\362\262/@\302\243\245V\261\13 d\262\2i\300\334\236S\312\354G\32\365\34s'\202]u$)\371\235&j\312\25s\345\246\334k\10=\357\2160-'(\317JT\177\377U\2467U\23\275\224\24\31\356\262\270\220\204u\1\242_fc\302\314\34\307tgk\23\256\273\376S\276,\34j\310r\255\375\204\22\374ERp\231\214)\23\325\31s\217\340\215\3O\23\314\307\334S]\262[k:\252\22\330\240D\31"G", ) , ) == 0x0
 00851   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00852   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00853   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00854   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00855   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00856   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00857   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00858   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00859   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00860   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "In\245/TX\375\374\370\20\3053/\34\204U\372{\305\220\233\21\267\322\3057\2466\207\27\254\361\256_%\376{\243>r\243\317\366)-\79\317Kk'F\317\11\31\231\354\210\230lK\271\334z\347qfp\17'\306c'Q\331'\221\15v\36", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "In\245/TX\375\374\370\20\3053/\34\204U\372{\305\220\233\21\267\322\3057\2466\207\27\254\361\256_%\376{\243>r\243\317\366)-\79\317Kk'F\317\11\31\231\354\210\230lK\271\334z\347qfp\17'\306c'Q\331'\221\15v\36", 80, ... ) , 80, ... ) == 0x0
 00861   480   NtClose  (-2147482208, ... ) == 0x0
 00851   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\11\214\265\320(\367u<\324\276d&\177j\337\251\316\203\322\271\341,$\301\271\25($9[\316\225\210\306\372PONt\17T\227P|\330@*W\3G\306\253\373x\354\1\267\2k\234\333j\266\32\316\16\264\16h\373\217\223\232\256m\370\331\6^3\373U\223F\237\357\300\307\246\251Rw\26k{\335\344\254\251I\3553\210\34\362$\35*\375\254m\256"iw]\266_\3449\303\270\246\6\333\241I'\5\242\363jN\301\6\3\334N(R\367+\366o\37]\210\217\33\274\277p\234-\225\13q\223\331o\204\350O\227\246\254e\214\260p]\27X\6makFn\307\366+`\\271\377\253\200\352\345\350i\247r:\264}:\344:\301\2206YA\357\213[\216jS\3264\316\346\326)b\0\223JO\310\306(\353\270\325\327ia\257]?^\213'\256\353\360\232\371Jxt\370\320]\251A\177\270N\210b\330", ) iw]\266_\3449\303\270\246\6\333\241I'\5\242\363jN\301\6\3\334N(R\367+\366o\37]\210\217\33\274\277p\234-\225\13q\223\331o\204\350O\227\246\254e\214\260p]\27X\6makFn\307\366+`\\271\377\253\200\352\345\350i\247r:\264}:\344:\301\2206YA\357\213[\216jS\3264\316\346\326)b\0\223JO\310\306(\353\270\325\327ia\257]?^\213'\256\353\360\232\371Jxt\370\320]\251A\177\270N\210b\330", ) == 0x0
 00862   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00863   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00864   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00865   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00866   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00867   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00868   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00869   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00870   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00871   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\246\374\225\324:\14\236\273\246#\302\377\36,\23\177B\12\2444\256\31\372\304\333\277\303J2\243gU\366zp\246\215O\263\374\244#\323\324f\17:\300\32\225\20\232\322h\214\5\0\367\371\119]\0I\347\\24\275\271\221\344\250/\230\37\264\343[+z", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\246\374\225\324:\14\236\273\246#\302\377\36,\23\177B\12\2444\256\31\372\304\333\277\303J2\243gU\366zp\246\215O\263\374\244#\323\324f\17:\300\32\225\20\232\322h\214\5\0\367\371\119]\0I\347\\24\275\271\221\344\250/\230\37\264\343[+z", 80, ... ) , 80, ... ) == 0x0
 00872   480   NtClose  (-2147482208, ... ) == 0x0
 00862   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "o\320\272\1>|\325\351'\200\220\333\222\377\2615 \322\265\325\261H\7\255\374\13=\367\353 \3475Q'\356/\5>\374_U\214\312\3\313,\251\271FchA^\206\254\275\357\2006\334j\227\340\225nhu\334\355\243\241\252\370c\233\307\232\264\213iZE\310\246\ZM\237\373f\247.0\306\214\23o\332\336\241\222{\177\11\344\202q\27W\362\354\6\270C\345\37\343z\247\335\311\230\270\37\312\262\315\32\375\12F\305\11p=\206\301k\12\26s\225CYf\234\226\230\20ZPL\4Hg\240vgZ\360\257\337>B\376|\226\354\23\231\24\303\214\365u\206Q\33\32\320\265;\11\270I\250\350\21\342\200\325\305\254\271\337+\306qrrP\344\311\7\233\237\375\10M\314\250\36\332\\245\337\315\333,m\274\23(\366v\23\317\21\360\26&Y\332fa8\250<\301\205\247\355\323N\215\270\3635x8\354 \266p\204\6", ) , ) == 0x0
 00873   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00874   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00875   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00876   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00877   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00878   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00879   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00880   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00881   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00882   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\37d\220\255\264)\330\312\324\254\7-\2\336\216\242s\14R\223{pl-\26\3\351\0\362\307\0\2026\313KDJ\370\265\337O\320\205\306\370,\366\344\205\316yj\352Y5\17\323a8\314U\360q\217t\337\344;\335\256\224mm\264\206\240\352\247V\6", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\37d\220\255\264)\330\312\324\254\7-\2\336\216\242s\14R\223{pl-\26\3\351\0\362\307\0\2026\313KDJ\370\265\337O\320\205\306\370,\366\344\205\316yj\352Y5\17\323a8\314U\360q\217t\337\344;\335\256\224mm\264\206\240\352\247V\6", 80, ... ) , 80, ... ) == 0x0
 00883   480   NtClose  (-2147482208, ... ) == 0x0
 00873   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "7\334d\363q\2625mD\250\342\370\234\27\251-7L\273\372\360\224\3126\350\367\320:8\267H\364\244\31%w\21\335\367\226\241\225\334\237\322\267\204\370\240\341\11\4\333uV\5\4\222\354m\35\41\363e8xN\276f\374\366L\324W\305t\300c\277\13\337@\263\25\365w\351\233\322-=\10\227\374\304w\303\243\3189p\257\372.q\305\234\201\206\316\314\263\317!\236$\254\22\235\274\221N\20\342x\2174\337\244t\330\23\246q\26\374\246\324\244\206\356\23\362\275\332\376(\365\35\3033\232\307%\24\343\346@\21\37t\355\220\240\276<{\323\357\2528\220\273s\321\240\203\12\3674\23\14\255>\346\223vSXJQ<\257\224\202\353\310\207:\274.\346\274\21p\274\213\2006#ze\362\307+\303\15\367\26D\223C\333.\346\274\246\353N0\305L>\302\333IB\32\35\311\274\355\215\2V\235q'^\276\366\337!\275", ) , ) == 0x0
 00884   480   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\211\215\312\246:w\262\223 \337\313\256j\253:2K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\36\301K\314\246E8\333\243\331%\331\246\356\257\36\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00885   480   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00886   480   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00887   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00888   480   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00889   480   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00890   480   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00891   480   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00892   480   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00893   480   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\11\306w7\226\260\206\227\240\274\24\255R^5e\366\321-\344\303{\23\354\362\320\311\203\204\251\12\301~\212\370@e\13\337C\253q0\250\340\320\26z\307\244\317\320<\3062\16`\15\364\322\310\365\244\21\200A\377Kh\227W\232\216\7\311N,S\231\272", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\11\306w7\226\260\206\227\240\274\24\255R^5e\366\321-\344\303{\23\354\362\320\311\203\204\251\12\301~\212\370@e\13\337C\253q0\250\340\320\26z\307\244\317\320<\3062\16`\15\364\322\310\365\244\21\200A\377Kh\227W\232\216\7\311N,S\231\272", 80, ... ) , 80, ... ) == 0x0
 00894   480   NtClose  (-2147482208, ... ) == 0x0
 00884   480   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\37\206\333.\35N?\247\211Y\301\314\20V-\11\374\236\374\311\15se\226\271L\371%i(}4Y\5G3\303-\122]\245\365\2\352\6\34\263\205@<\255\275\370\15\373\307=\346E\240\242w\371\341\217\350\302\255y\267/\277\253\31Uv'2\254\316]\366M\231\232\363N;\354\253\3210\363pj\362\314-P\317r#\250s4\16\323\364\361\257\344\202\275`\363?L\325C(1\2668\237^\253\357\27\212\222+$~\3\306\201t\355\336\204v]o6\12\352T%\4\323\303Q\214e\20r\25\15\206\377\236\357\324\271\350\331\1<\23\13E\255u\27\341\310\\330\202\317gK\276m\312e\330c\262\263\303\310\11-#8\270\7f\344\225y4\26\375\07\365\253Y\375\365\367\5F1\32\264\215\332l\301\0\321w\24\203dz+\16\376y\270!\343", ) \375\365\367\5F1\32\264\215\332l\301\0\321w\24\203dz+\16\376y\270!\343", ) == 0x0
 00895   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 112, ) }, ... 112, ) == 0x0
 00896   480   NtQueryValueKey  (112,  (112, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 00898   480   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   480   NtClose  (116, ... ) == 0x0
 00900   480   NtClose  (112, ... ) == 0x0
 00901   480   NtAllocateVirtualMemory  (-1, 4526080, 0, 24576, 4096, 4, ... 4526080, 24576, ) == 0x0
 00902   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 2283872, ... ) }, 2283872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 2283872, ... ) }, 2283872, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 2283872, ... ) }, 2283872, ... ) == 0x0
 00906   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00907   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00908   480   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   480   NtClose  (112, ... ) == 0x0
 00910   480   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00911   480   NtClose  (116, ... ) == 0x0
 00912   480   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00915   480   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   480   NtClose  (116, ... ) == 0x0
 00917   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00919   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00920   480   NtQuerySystemTime  (... {-1132538772, 29868081}, ) == 0x0
 00921   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00922   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   480   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00924   480   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00925   480   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00926   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00927   480   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00928   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00929   480   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00930   480   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00931   480   NtClose  (136, ... ) == 0x0
 00932   480   NtClose  (132, ... ) == 0x0
 00933   480   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00934   480   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00935   480   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00936   480   NtAllocateVirtualMemory  (-1, 4550656, 0, 4096, 4096, 4, ... 4550656, 4096, ) == 0x0
 00937   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00938   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00939   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00940   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00941   480   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2284240,  (0xc0100080, {24, 0, 0x40, 0, 2284240, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00942   480   NtSetInformationFile  (148, 2284296, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00943   480   NtSetInformationFile  (148, 2284288, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00944   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00945   480   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00946   480   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00947   480   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20p \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00948   480   NtClose  (144, ... ) == 0x0
 00949   480   NtClose  (148, ... ) == 0x0
 00950   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 2284284, ... ) }, 2284284, ... ) == 0x0
 00951   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00952   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00953   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2284104, ... ) }, 2284104, ... ) == 0x0
 00954   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00955   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00956   480   NtAllocateVirtualMemory  (-1, 4554752, 0, 4096, 4096, 4, ... 4554752, 4096, ) == 0x0
 00957   480   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 4555032, 0,  (0x1f0003, {24, 52, 0x80, 4555032, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00958   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00959   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00960   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00962   480   NtQueryValueKey  (144,  (144, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   480   NtClose  (144, ... ) == 0x0
 00964   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00965   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00966   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00968   480   NtQueryValueKey  (144,  (144, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   480   NtClose  (144, ... ) == 0x0
 00970   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00971   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00972   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00974   480   NtQueryValueKey  (144,  (144, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   480   NtClose  (144, ... ) == 0x0
 00976   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00977   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00978   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00980   480   NtQueryValueKey  (144,  (144, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   480   NtClose  (144, ... ) == 0x0
 00982   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00984   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00985   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00987   480   NtQueryValueKey  (144,  (144, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   480   NtClose  (144, ... ) == 0x0
 00989   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00990   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00991   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00993   480   NtQueryValueKey  (144,  (144, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   480   NtClose  (144, ... ) == 0x0
 00995   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00996   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 00997   480   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00998   480   NtClose  (144, ... ) == 0x0
 00999   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01000   480   NtSetInformationObject  (146, Handle, {Inherit=0,ProtectFromClose=1,}, 2228480, ... ) == 0x0
 01001   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01002   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 152, ) }, ... 152, ) == 0x0
 01004   480   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01005   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01006   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01007   480   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01008   480   NtClose  (156, ... ) == 0x0
 01009   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   480   NtQueryValueKey  (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01011   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 2282012, ... ) }, 2282012, ... ) == 0x0
 01012   480   NtClose  (154, ... ) == 0x0
 01013   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01014   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 152, ) }, ... 152, ) == 0x0
 01016   480   NtAllocateVirtualMemory  (-1, 4558848, 0, 4096, 4096, 4, ... 4558848, 4096, ) == 0x0
 01017   480   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01018   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01019   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01020   480   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01021   480   NtClose  (156, ... ) == 0x0
 01022   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   480   NtEnumerateKey  (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01024   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01025   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 156, ) }, ... 156, ) == 0x0
 01027   480   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01028   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01029   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01030   480   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01031   480   NtClose  (160, ... ) == 0x0
 01032   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   480   NtQueryValueKey  (158,  (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01034   480   NtClose  (158, ... ) == 0x0
 01035   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01036   480   NtEnumerateKey  (154, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01037   480   NtClose  (154, ... ) == 0x0
 01038   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01039   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01040   480   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 156, ) }, ... 156, ) == 0x0
 01041   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01043   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01045   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 160, ) }, ... 160, ) == 0x0
 01047   480   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01048   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01049   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01050   480   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01051   480   NtClose  (164, ... ) == 0x0
 01052   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   480   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01054   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01055   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 164, ) }, ... 164, ) == 0x0
 01057   480   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01058   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01059   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01060   480   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01061   480   NtClose  (168, ... ) == 0x0
 01062   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   480   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   480   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01065   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01066   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01067   480   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01068   480   NtClose  (168, ... ) == 0x0
 01069   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   480   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 01071   480   NtClose  (166, ... ) == 0x0
 01072   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01073   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01074   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01076   480   NtQueryValueKey  (164,  (164, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   480   NtClose  (164, ... ) == 0x0
 01078   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01079   480   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01080   480   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01081   480   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01082   480   NtClose  (164, ... ) == 0x0
 01083   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01084   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01085   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01087   480   NtQueryValueKey  (164,  (164, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   480   NtClose  (164, ... ) == 0x0
 01089   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01090   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01091   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01093   480   NtQueryValueKey  (164,  (164, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   480   NtClose  (164, ... ) == 0x0
 01095   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01096   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01097   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01099   480   NtQueryValueKey  (164,  (164, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   480   NtClose  (164, ... ) == 0x0
 01101   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01102   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01103   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01105   480   NtQueryValueKey  (164,  (164, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   480   NtClose  (164, ... ) == 0x0
 01107   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01108   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01109   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01110   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01111   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01113   480   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   480   NtClose  (164, ... ) == 0x0
 01115   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01116   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01117   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01119   480   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   480   NtClose  (164, ... ) == 0x0
 01121   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01122   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01123   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01125   480   NtQueryValueKey  (164,  (164, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   480   NtClose  (164, ... ) == 0x0
 01127   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01128   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01129   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01130   480   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 164, ) }, ... 164, ) == 0x0
 01131   480   NtQueryValueKey  (164,  (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01132   480   NtQueryValueKey  (164,  (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01133   480   NtQueryValueKey  (164,  (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01134   480   NtQueryValueKey  (164,  (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   480   NtQueryValueKey  (164,  (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   480   NtQueryValueKey  (164,  (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01137   480   NtQueryValueKey  (164,  (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01139   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01140   480   NtQueryValueKey  (164,  (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01141   480   NtQueryValueKey  (164,  (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   480   NtQueryValueKey  (164,  (164, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   480   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   480   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   480   NtClose  (164, ... ) == 0x0
 01146   480   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 4555032, 0,  (0x1f0003, {24, 52, 0x80, 4555032, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01147   480   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01148   480   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01149   480   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01150   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01152   480   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   480   NtClose  (172, ... ) == 0x0
 01154   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   480   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01157   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01160   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 172, ) }, ... 172, ) == 0x0
 01162   480   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01163   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01164   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01165   480   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01166   480   NtClose  (176, ... ) == 0x0
 01167   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   480   NtQueryValueKey  (174,  (174, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   480   NtClose  (174, ... ) == 0x0
 01170   480   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01171   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01172   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01173   480   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01174   480   NtClose  (172, ... ) == 0x0
 01175   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   480   NtQueryValueKey  (170,  (170, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   480   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01178   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01179   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01180   480   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01181   480   NtClose  (172, ... ) == 0x0
 01182   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   480   NtQueryValueKey  (170,  (170, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   480   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01185   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01186   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01187   480   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01188   480   NtClose  (172, ... ) == 0x0
 01189   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   480   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01192   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 172, ) }, ... 172, ) == 0x0
 01194   480   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01195   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01196   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01197   480   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   480   NtClose  (176, ... ) == 0x0
 01199   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   480   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   480   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01202   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01203   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01204   480   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01205   480   NtClose  (176, ... ) == 0x0
 01206   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   480   NtQueryValueKey  (170,  (170, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   480   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01209   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01211   480   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   480   NtClose  (176, ... ) == 0x0
 01213   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   480   NtQueryValueKey  (170,  (170, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   480   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01216   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01217   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01218   480   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01219   480   NtClose  (176, ... ) == 0x0
 01220   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   480   NtQueryValueKey  (170,  (170, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   480   NtClose  (162, ... ) == 0x0
 01223   480   NtClose  (170, ... ) == 0x0
 01224   480   NtClose  (174, ... ) == 0x0
 01225   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01226   480   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 4555032, 0,  (0x1f0003, {24, 52, 0x80, 4555032, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01227   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01228   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01229   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01230   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01231   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01232   480   NtQueryValueKey  (168,  (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01233   480   NtClose  (168, ... ) == 0x0
 01234   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 2284248, ... ) }, 2284248, ... ) == 0x0
 01235   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01236   480   NtSetValueKey  (168,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01237   480   NtClose  (168, ... ) == 0x0
 01238   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 2282660, ... ) }, 2282660, ... ) == 0x0
 01239   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01240   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 160, ) == 0x0
 01241   480   NtClose  (168, ... ) == 0x0
 01242   480   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc20000), 0x0, 262144, ) == 0x0
 01243   480   NtClose  (160, ... ) == 0x0
 01244   480   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01245   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01246   480   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   480   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 2282224, ... ) }, 2282224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 2282224, ... ) }, 2282224, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 2282224, ... ) }, 2282224, ... ) == 0x0
 01251   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01252   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 168, ) == 0x0
 01253   480   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01254   480   NtClose  (160, ... ) == 0x0
 01255   480   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01256   480   NtClose  (168, ... ) == 0x0
 01257   480   NtAllocateVirtualMemory  (-1, 10960896, 0, 4096, 4096, 4, ... 10960896, 4096, ) == 0x0
 01258   480   NtQueryDefaultLocale  (1, 2282056, ... ) == 0x0
 01259   480   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01260   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01261   480   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01262   480   NtClose  (168, ... ) == 0x0
 01263   480   NtUserGetProcessWindowStation  (... ) == 0x28
 01264   480   NtUserGetObjectInformation  (40, 1, 2281728, 12, 2281740, ... ) == 0x1
 01265   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 168, ) }, ... 168, ) == 0x0
 01266   480   NtQueryValueKey  (168,  (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01267   480   NtClose  (168, ... ) == 0x0
 01268   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01269   480   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01270   480   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01271   480   NtClose  (168, ... ) == 0x0
 01272   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01273   480   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01274   480   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01275   480   NtClose  (168, ... ) == 0x0
 01276   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01277   480   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01278   480   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01279   480   NtClose  (168, ... ) == 0x0
 01280   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01281   480   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01282   480   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01283   480   NtClose  (168, ... ) == 0x0
 01284   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01285   480   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01286   480   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01287   480   NtClose  (168, ... ) == 0x0
 01288   480   NtAllocateVirtualMemory  (-1, 4562944, 0, 4096, 4096, 4, ... 4562944, 4096, ) == 0x0
 01289   480   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 168, ) }, ... 168, ) == 0x0
 01290   480   NtQueryValueKey  (168,  (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01291   480   NtClose  (168, ... ) == 0x0
 01292   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01293   480   NtCreateMutant  (0x1f0001, 0x0, 0, ... 160, ) == 0x0
 01294   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01295   480   NtCreateMutant  (0x1f0001, 0x0, 0, ... 180, ) == 0x0
 01296   480   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01297   480   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01298   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01299   480   NtQueryValueKey  (192,  (192, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   480   NtQueryValueKey  (192,  (192, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   480   NtOpenKey  (0x1, {24, 192, 0x40, 0, 0,  (0x1, {24, 192, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   480   NtClose  (192, ... ) == 0x0
 01303   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 2281648, ... ) }, 2281648, ... ) == 0x0
 01304   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 192, ) }, ... 192, ) == 0x0
 01305   480   NtQueryValueKey  (192,  (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01306   480   NtClose  (192, ... ) == 0x0
 01307   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01308   480   NtQueryValueKey  (192,  (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01309   480   NtClose  (192, ... ) == 0x0
 01310   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01312   480   NtQueryValueKey  (192,  (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01313   480   NtClose  (192, ... ) == 0x0
 01314   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01315   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01316   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01317   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01318   480   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2282428,  (0xc0100080, {24, 0, 0x40, 0, 2282428, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01319   480   NtSetInformationFile  (196, 2282484, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01320   480   NtSetInformationFile  (196, 2282476, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01321   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01322   480   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01323   480   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01324   480   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\241\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01325   480   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01326   480   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0.\305\234\366$,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01327   480   NtClose  (192, ... ) == 0x0
 01328   480   NtClose  (196, ... ) == 0x0
 01329   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01330   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01331   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01332   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01333   480   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2282428,  (0xc0100080, {24, 0, 0x40, 0, 2282428, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   480   NtSetInformationFile  (192, 2282484, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01335   480   NtSetInformationFile  (192, 2282476, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01336   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01337   480   NtWriteFile  (192, 125, 0, 0,  (192, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01338   480   NtReadFile  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01339   480   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\14\0\0\0\2\0\1\0\0\10\0\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332"\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\242\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01340   480   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01341   480   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0/\305\234\366$,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01342   480   NtClose  (196, ... ) == 0x0
 01343   480   NtClose  (192, ... ) == 0x0
 01344   480   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01345   480   NtOpenProcessToken  (-1, 0x20, ... 192, ) == 0x0
 01346   480   NtAdjustPrivilegesToken  (192, 0, 4563168, 0, 0, 0, ... ) == 0x0
 01347   480   NtClose  (192, ... ) == 0x0
 01348   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01349   480   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01350   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01351   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01352   480   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 2282668,  (0xc0100080, {24, 0, 0x40, 0, 2282668, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01353   480   NtSetInformationFile  (196, 2282724, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01354   480   NtSetInformationFile  (196, 2282716, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01355   480   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01356   480   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01357   480   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20&\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01358   480   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20&\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20&\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01359   480   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01360   480   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01361   480   NtAdjustPrivilegesToken  (200, 0, 4563248, 0, 0, 0, ... ) == 0x0
 01362   480   NtClose  (200, ... ) == 0x0
 01363   480   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01364   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01365   480   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01366   480   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01367   480   NtClose  (204, ... ) == 0x0
 01368   480   NtQueryVolumeInformationFile  (200, 2283128, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369   480   NtClose  (200, ... ) == 0x0
 01370   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=1}, ) }, 3, 16, ... 200, {status=0x0, info=1}, ) == 0x0
 01371   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01372   480   NtClose  (200, ... ) == 0x0
 01373   480   NtQueryInformationFile  (-1, 2283128, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01374   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2283080,  (0x100080, {24, 0, 0x40, 0, 2283080, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01375   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01376   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01377   480   NtClose  (-2147482208, ... ) == 0x0
 01375   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01378   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01379   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01380   480   NtClose  (-2147482208, ... ) == 0x0
 01378   480   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01381   480   NtClose  (200, ... ) == 0x0
 01382   480   NtAllocateVirtualMemory  (-1, 4567040, 0, 4096, 4096, 4, ... 4567040, 4096, ) == 0x0
 01383   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01384   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01385   480   NtClose  (200, ... ) == 0x0
 01386   480   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01387   480   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326 (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01388   480   NtClose  (204, ... ) == 0x0
 01389   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01390   480   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01391   480   NtClose  (204, ... ) == 0x0
 01392   480   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01393   480   NtClose  (200, ... ) == 0x0
 01394   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01395   480   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01396   480   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01397   480   NtClose  (204, ... ) == 0x0
 01398   480   NtQueryVolumeInformationFile  (200, 2283128, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01399   480   NtClose  (200, ... ) == 0x0
 01400   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01401   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01402   480   NtClose  (200, ... ) == 0x0
 01403   480   NtQueryInformationFile  (-1, 2283128, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01404   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2283080,  (0x100080, {24, 0, 0x40, 0, 2283080, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01405   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01406   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01407   480   NtClose  (-2147482208, ... ) == 0x0
 01405   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01408   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01409   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01410   480   NtClose  (-2147482208, ... ) == 0x0
 01408   480   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\16\201\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01411   480   NtClose  (200, ... ) == 0x0
 01412   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01413   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01414   480   NtClose  (200, ... ) == 0x0
 01415   480   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01416   480   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326 (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01417   480   NtClose  (204, ... ) == 0x0
 01418   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01419   480   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01420   480   NtClose  (204, ... ) == 0x0
 01421   480   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   480   NtClose  (200, ... ) == 0x0
 01423   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01424   480   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01425   480   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01426   480   NtClose  (204, ... ) == 0x0
 01427   480   NtQueryVolumeInformationFile  (200, 2283128, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01428   480   NtClose  (200, ... ) == 0x0
 01429   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01430   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01431   480   NtClose  (200, ... ) == 0x0
 01432   480   NtQueryInformationFile  (-1, 2283128, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01433   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2283080,  (0x100080, {24, 0, 0x40, 0, 2283080, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01434   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01435   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01436   480   NtClose  (-2147482208, ... ) == 0x0
 01434   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01437   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01438   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01439   480   NtClose  (-2147482208, ... ) == 0x0
 01437   480   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01440   480   NtClose  (200, ... ) == 0x0
 01441   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01442   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01443   480   NtClose  (200, ... ) == 0x0
 01444   480   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01445   480   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) \0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326 (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\314\1\0\0\340\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\314\1\0\0\340\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326"\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326"\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01446   480   NtClose  (204, ... ) == 0x0
 01447   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01448   480   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01449   480   NtClose  (204, ... ) == 0x0
 01450   480   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01451   480   NtClose  (200, ... ) == 0x0
 01452   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01453   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01454   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01455   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01456   480   NtClose  (-2147482208, ... ) == 0x0
 01454   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01457   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01458   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01459   480   NtClose  (-2147482208, ... ) == 0x0
 01457   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01460   480   NtClose  (200, ... ) == 0x0
 01461   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01462   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01463   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01464   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01465   480   NtClose  (-2147482208, ... ) == 0x0
 01463   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01466   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01467   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01468   480   NtClose  (-2147482208, ... ) == 0x0
 01466   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01469   480   NtClose  (200, ... ) == 0x0
 01470   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01471   480   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01472   480   NtClose  (200, ... ) == 0x0
 01473   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01475   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01479   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01482   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01483   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01484   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01485   480   NtClose  (-2147482208, ... ) == 0x0
 01483   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01486   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01487   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01488   480   NtClose  (-2147482208, ... ) == 0x0
 01486   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01489   480   NtClose  (200, ... ) == 0x0
 01490   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01491   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01492   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01493   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01494   480   NtClose  (-2147482208, ... ) == 0x0
 01492   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01495   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01496   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01497   480   NtClose  (-2147482208, ... ) == 0x0
 01495   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01498   480   NtClose  (200, ... ) == 0x0
 01499   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01500   480   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01501   480   NtClose  (200, ... ) == 0x0
 01502   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01504   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01508   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01511   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01512   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01513   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01514   480   NtClose  (-2147482208, ... ) == 0x0
 01512   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01515   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01516   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01517   480   NtClose  (-2147482208, ... ) == 0x0
 01515   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01518   480   NtClose  (200, ... ) == 0x0
 01519   480   NtQueryInformationFile  (-1, 2284332, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01520   480   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 2284284,  (0x100080, {24, 0, 0x40, 0, 2284284, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01521   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01522   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01523   480   NtClose  (-2147482208, ... ) == 0x0
 01521   480   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01524   480   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01525   480   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01526   480   NtClose  (-2147482208, ... ) == 0x0
 01524   480   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01527   480   NtClose  (200, ... ) == 0x0
 01528   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01529   480   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01530   480   NtClose  (200, ... ) == 0x0
 01531   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01533   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01537   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01540   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01541   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01542   480   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 204, ) }, ... 204, ) == 0x0
 01543   480   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\F:00000000000091cd", 66, ) , 66, ) == 0x0
 01544   480   NtClose  (204, ... ) == 0x0
 01545   480   NtQueryVolumeInformationFile  (200, 2284376, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01546   480   NtClose  (200, ... ) == 0x0
 01547   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01548   480   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01549   480   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 204, ) }, ... 204, ) == 0x0
 01550   480   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\U:00000000000091cd", 66, ) , 66, ) == 0x0
 01551   480   NtClose  (204, ... ) == 0x0
 01552   480   NtQueryVolumeInformationFile  (200, 2284376, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01553   480   NtClose  (200, ... ) == 0x0
 01554   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01555   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01556   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01557   480   NtClose  (200, ... ) == 0x0
 01558   480   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   480   NtClose  (204, ... ) == 0x0
 01560   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01561   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282564, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282564, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01562   480   NtClose  (204, ... ) == 0x0
 01563   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01564   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 204, ) }, ... 204, ) == 0x0
 01566   480   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01567   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01568   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01569   480   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01570   480   NtClose  (200, ... ) == 0x0
 01571   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   480   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   480   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01574   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01575   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01576   480   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01577   480   NtClose  (200, ... ) == 0x0
 01578   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   480   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01580   480   NtClose  (206, ... ) == 0x0
 01581   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01582   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01583   480   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01584   480   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01585   480   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01586   480   NtAllocateVirtualMemory  (-1, 4571136, 0, 4096, 4096, 4, ... 4571136, 4096, ) == 0x0
 01587   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01588   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01589   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01590   480   NtClose  (204, ... ) == 0x0
 01591   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   480   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01594   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01595   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01596   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01597   480   NtClose  (204, ... ) == 0x0
 01598   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   480   NtQueryValueKey  (202,  (202, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01601   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01602   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01603   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01604   480   NtClose  (204, ... ) == 0x0
 01605   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   480   NtQueryValueKey  (202,  (202, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   480   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01608   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01610   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   480   NtClose  (204, ... ) == 0x0
 01612   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   480   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 204, ) }, ... 204, ) == 0x0
 01617   480   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01618   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01620   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   480   NtClose  (208, ... ) == 0x0
 01622   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   480   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01625   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01626   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01627   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01628   480   NtClose  (208, ... ) == 0x0
 01629   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   480   NtQueryValueKey  (202,  (202, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01632   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01633   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01634   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01635   480   NtClose  (208, ... ) == 0x0
 01636   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   480   NtQueryValueKey  (202,  (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01638   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01639   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01640   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01641   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01642   480   NtClose  (208, ... ) == 0x0
 01643   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   480   NtQueryValueKey  (202,  (202, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   480   NtClose  (202, ... ) == 0x0
 01646   480   NtClose  (206, ... ) == 0x0
 01647   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01648   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282468, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282468, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01649   480   NtClose  (204, ... ) == 0x0
 01650   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01651   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282388, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282388, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01652   480   NtClose  (204, ... ) == 0x0
 01653   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01654   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01655   480   NtAllocateVirtualMemory  (-1, 2269184, 0, 4096, 4096, 260, ... 2269184, 4096, ) == 0x0
 01656   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2277760, ... ) }, 2277760, ... ) == 0x0
 01657   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01658   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01659   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01660   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01661   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01662   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01663   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01664   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01665   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01666   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01667   480   NtClose  (204, ... ) == 0x0
 01668   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01669   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01670   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01671   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01672   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01673   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01674   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01675   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01676   480   NtClose  (204, ... ) == 0x0
 01677   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01678   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01679   480   NtClose  (204, ... ) == 0x0
 01680   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2277760, ... ) }, 2277760, ... ) == 0x0
 01683   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   480   NtAllocateVirtualMemory  (-1, 4575232, 0, 4096, 4096, 4, ... 4575232, 4096, ) == 0x0
 01686   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01687   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01688   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01689   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01690   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01691   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01692   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01693   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01694   480   NtClose  (204, ... ) == 0x0
 01695   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01696   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01697   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01698   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01699   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01700   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01701   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01702   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01703   480   NtClose  (204, ... ) == 0x0
 01704   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01705   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01706   480   NtClose  (204, ... ) == 0x0
 01707   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01708   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01709   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2279816, ... ) }, 2279816, ... ) == 0x0
 01710   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01711   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01712   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01713   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01714   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01715   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01716   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01717   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01718   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01719   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01720   480   NtClose  (204, ... ) == 0x0
 01721   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01722   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01723   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2278096, ... ) }, 2278096, ... ) == 0x0
 01724   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01725   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01726   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01727   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01728   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01729   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01730   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01731   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01732   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01733   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01734   480   NtClose  (204, ... ) == 0x0
 01735   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01736   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01737   480   NtClose  (204, ... ) == 0x0
 01738   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01739   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01740   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2278096, ... ) }, 2278096, ... ) == 0x0
 01741   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01742   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01743   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01744   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01745   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01746   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01747   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01748   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01749   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01750   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01751   480   NtClose  (204, ... ) == 0x0
 01752   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01753   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01754   480   NtClose  (204, ... ) == 0x0
 01755   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01756   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01757   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 2278096, ... ) }, 2278096, ... ) == 0x0
 01758   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01759   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01760   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01761   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01762   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01763   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01764   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 83, 4096, 4, ... 12713984, 4096, ) == 0x0
 01765   480   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01766   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01767   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01768   480   NtClose  (204, ... ) == 0x0
 01769   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01770   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01771   480   NtClose  (204, ... ) == 0x0
 01772   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01773   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01774   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01775   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01776   480   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01777   480   NtQueryValueKey  (204,  (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01778   480   NtClose  (204, ... ) == 0x0
 01779   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 2284248, ... ) }, 2284248, ... ) == 0x0
 01780   480   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01781   480   NtSetValueKey  (204,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01782   480   NtClose  (204, ... ) == 0x0
 01783   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 2282660, ... ) }, 2282660, ... ) == 0x0
 01784   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01785   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01786   480   NtClose  (204, ... ) == 0x0
 01787   480   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc20000), 0x0, 262144, ) == 0x0
 01788   480   NtClose  (200, ... ) == 0x0
 01789   480   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01790   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01791   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01792   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01793   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01794   480   NtClose  (200, ... ) == 0x0
 01795   480   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01796   480   NtClose  (204, ... ) == 0x0
 01797   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01798   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282568, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282568, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01799   480   NtClose  (204, ... ) == 0x0
 01800   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01801   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282476, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282476, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01802   480   NtClose  (204, ... ) == 0x0
 01803   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01804   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282404, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282404, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01805   480   NtClose  (204, ... ) == 0x0
 01806   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 2277776, ... ) }, 2277776, ... ) == 0x0
 01809   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01810   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01811   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01812   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01813   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01814   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01815   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 142, 4096, 4, ... 12713984, 4096, ) == 0x0
 01816   480   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01817   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01818   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01819   480   NtClose  (204, ... ) == 0x0
 01820   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01821   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01822   480   NtClose  (204, ... ) == 0x0
 01823   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01824   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01825   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 2277748, ... ) }, 2277748, ... ) == 0x0
 01826   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01829   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01830   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01831   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01832   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 142, 4096, 4, ... 12713984, 4096, ) == 0x0
 01833   480   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01834   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01835   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01836   480   NtClose  (204, ... ) == 0x0
 01837   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01838   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01839   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 2278112, ... ) }, 2278112, ... ) == 0x0
 01840   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01841   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01842   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01843   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01844   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01845   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01846   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 142, 4096, 4, ... 12713984, 4096, ) == 0x0
 01847   480   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01848   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01849   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01850   480   NtClose  (204, ... ) == 0x0
 01851   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01852   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01853   480   NtClose  (204, ... ) == 0x0
 01854   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01855   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01856   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 2278112, ... ) }, 2278112, ... ) == 0x0
 01857   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01858   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01859   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01860   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01861   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01862   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01863   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 142, 4096, 4, ... 12713984, 4096, ) == 0x0
 01864   480   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01865   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01866   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01867   480   NtClose  (204, ... ) == 0x0
 01868   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01869   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01870   480   NtClose  (204, ... ) == 0x0
 01871   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 2278112, ... ) }, 2278112, ... ) == 0x0
 01874   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   480   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01877   480   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01878   480   NtQueryInformationFile  (204, 4564320, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   480   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 12713984, 1052672, ) == 0x0
 01880   480   NtAllocateVirtualMemory  (-1, 12713984, 0, 142, 4096, 4, ... 12713984, 4096, ) == 0x0
 01881   480   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01882   480   NtFreeVirtualMemory  (-1, (0xc20000), 1052672, 32768, ... (0xc20000), 1052672, ) == 0x0
 01883   480   NtUnlockFile  (204, {0, 0}, {-1, -1}, 480, ... ) == STATUS_RANGE_NOT_LOCKED
 01884   480   NtClose  (204, ... ) == 0x0
 01885   480   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01886   480   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01887   480   NtClose  (204, ... ) == 0x0
 01888   480   NtAllocateVirtualMemory  (-1, 4579328, 0, 4096, 4096, 4, ... 4579328, 4096, ) == 0x0
 01889   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01890   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01891   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01892   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01893   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01894   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01895   480   NtQueryValueKey  (204,  (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01896   480   NtClose  (204, ... ) == 0x0
 01897   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 2284248, ... ) }, 2284248, ... ) == 0x0
 01898   480   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01899   480   NtSetValueKey  (204,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01900   480   NtClose  (204, ... ) == 0x0
 01901   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 2282660, ... ) }, 2282660, ... ) == 0x0
 01902   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01903   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01904   480   NtClose  (204, ... ) == 0x0
 01905   480   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc20000), 0x0, 262144, ) == 0x0
 01906   480   NtClose  (200, ... ) == 0x0
 01907   480   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01908   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01909   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01910   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01911   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01912   480   NtClose  (200, ... ) == 0x0
 01913   480   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01914   480   NtClose  (204, ... ) == 0x0
 01915   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01916   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282576, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282576, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01917   480   NtClose  (204, ... ) == 0x0
 01918   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01919   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282488, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282488, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01920   480   NtClose  (204, ... ) == 0x0
 01921   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01922   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282420, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282420, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01923   480   NtClose  (204, ... ) == 0x0
 01924   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01925   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01926   480   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01927   480   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01928   480   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01929   480   NtQueryValueKey  (204,  (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01930   480   NtClose  (204, ... ) == 0x0
 01931   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 2284248, ... ) }, 2284248, ... ) == 0x0
 01932   480   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01933   480   NtSetValueKey  (204,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 01934   480   NtClose  (204, ... ) == 0x0
 01935   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 2282660, ... ) }, 2282660, ... ) == 0x0
 01936   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01937   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01938   480   NtClose  (204, ... ) == 0x0
 01939   480   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc20000), 0x0, 262144, ) == 0x0
 01940   480   NtClose  (200, ... ) == 0x0
 01941   480   NtUnmapViewOfSection  (-1, 0xc20000, ... ) == 0x0
 01942   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01943   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01944   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01945   480   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01946   480   NtClose  (200, ... ) == 0x0
 01947   480   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01948   480   NtClose  (204, ... ) == 0x0
 01949   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01950   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282572, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282572, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01951   480   NtClose  (204, ... ) == 0x0
 01952   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01953   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282484, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282484, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01954   480   NtClose  (204, ... ) == 0x0
 01955   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01956   480   NtQueryDirectoryFile  (204, 0, 0, 0, 2282416, 616, BothDirectory, 1,  (204, 0, 0, 0, 2282416, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01957   480   NtClose  (204, ... ) == 0x0
 01958   480   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 204, ) }, ... 204, ) == 0x0
 01959   480   NtEnumerateValueKey  (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01960   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01961   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01963   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01964   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01965   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01966   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01967   480   NtClose  (208, ... ) == 0x0
 01968   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   480   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01970   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01971   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01972   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01973   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01974   480   NtClose  (208, ... ) == 0x0
 01975   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   480   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   480   NtClose  (202, ... ) == 0x0
 01978   480   NtEnumerateValueKey  (204, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01979   480   NtClose  (204, ... ) == 0x0
 01980   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01981   480   NtQueryValueKey  (204,  (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01982   480   NtClose  (204, ... ) == 0x0
 01983   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2284584, ... ) }, 2284584, ... ) == 0x0
 01986   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01987   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01988   480   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01989   480   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01990   480   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01991   480   NtClose  (204, ... ) == 0x0
 01992   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01995   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 01997   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 01999   480   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02000   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02001   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02002   480   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02003   480   NtClose  (200, ... ) == 0x0
 02004   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   480   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02006   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02007   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 200, ) }, ... 200, ) == 0x0
 02009   480   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02010   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02012   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   480   NtClose  (208, ... ) == 0x0
 02014   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   480   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   480   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02017   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02018   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02019   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02020   480   NtClose  (208, ... ) == 0x0
 02021   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   480   NtOpenKey  (0x2000000, {24, 202, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 02023   480   NtClose  (202, ... ) == 0x0
 02024   480   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02025   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02027   480   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   480   NtClose  (200, ... ) == 0x0
 02029   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   480   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   480   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02032   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02033   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02034   480   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02035   480   NtClose  (200, ... ) == 0x0
 02036   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   480   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02039   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02042   480   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02044   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02045   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02047   480   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   480   NtClose  (212, ... ) == 0x0
 02049   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   480   NtQueryValueKey  (202,  (202, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   480   NtClose  (202, ... ) == 0x0
 02052   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02053   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 200, ) }, ... 200, ) == 0x0
 02055   480   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02056   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02057   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02058   480   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02059   480   NtClose  (212, ... ) == 0x0
 02060   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   480   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   480   NtClose  (206, ... ) == 0x0
 02063   480   NtClose  (210, ... ) == 0x0
 02064   480   NtClose  (202, ... ) == 0x0
 02065   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02066   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   480   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02068   480   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02070   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02072   480   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02073   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02075   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   480   NtClose  (208, ... ) == 0x0
 02077   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   480   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02079   480   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02080   480   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02082   480   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02083   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02085   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   480   NtClose  (204, ... ) == 0x0
 02087   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   480   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   480   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02090   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02091   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02092   480   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02093   480   NtClose  (204, ... ) == 0x0
 02094   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   480   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 02096   480   NtClose  (210, ... ) == 0x0
 02097   480   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02098   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02099   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02100   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02101   480   NtClose  (208, ... ) == 0x0
 02102   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   480   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "shell"}, ... 208, ) }, ... 208, ) == 0x0
 02104   480   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02105   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02106   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02107   480   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02108   480   NtClose  (212, ... ) == 0x0
 02109   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   480   NtQueryValueKey  (210, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   480   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02112   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02114   480   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   480   NtClose  (212, ... ) == 0x0
 02116   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   480   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "open"}, ... 212, ) }, ... 212, ) == 0x0
 02118   480   NtClose  (210, ... ) == 0x0
 02119   480   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02120   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02121   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02122   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02123   480   NtClose  (208, ... ) == 0x0
 02124   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   480   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02126   480   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02127   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02128   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02129   480   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02130   480   NtClose  (216, ... ) == 0x0
 02131   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   480   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02133   480   NtClose  (210, ... ) == 0x0
 02134   480   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   480   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02136   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02138   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   480   NtClose  (208, ... ) == 0x0
 02140   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   480   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02142   480   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02143   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02144   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02145   480   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   480   NtClose  (216, ... ) == 0x0
 02147   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   480   NtQueryValueKey  (210,  (210, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   480   NtClose  (210, ... ) == 0x0
 02150   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   480   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02152   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02153   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02154   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02155   480   NtClose  (208, ... ) == 0x0
 02156   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   480   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02158   480   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02159   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02160   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02161   480   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02162   480   NtClose  (216, ... ) == 0x0
 02163   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   480   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02165   480   NtClose  (210, ... ) == 0x0
 02166   480   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02167   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02168   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02169   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02170   480   NtClose  (208, ... ) == 0x0
 02171   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   480   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   480   NtUserGetForegroundWindow  (... ) == 0x20060
 02174   480   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02175   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02176   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02177   480   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02178   480   NtClose  (208, ... ) == 0x0
 02179   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   480   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02181   480   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02182   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02183   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02184   480   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02185   480   NtClose  (216, ... ) == 0x0
 02186   480   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   480   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02188   480   NtClose  (210, ... ) == 0x0
 02189   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02190   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02191   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02193   480   NtQueryValueKey  (208,  (208, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   480   NtClose  (208, ... ) == 0x0
 02195   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02196   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02197   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02199   480   NtQueryValueKey  (208,  (208, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   480   NtClose  (208, ... ) == 0x0
 02201   480   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   480   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   480   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02205   480   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02206   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   480   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02208   480   NtQueryValueKey  (208,  (208, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   480   NtClose  (208, ... ) == 0x0
 02210   480   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   480   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02212   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2279884, ... ) }, 2279884, ... ) == 0x0
 02213   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2280576, ... ) }, 2280576, ... ) == 0x0
 02214   480   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02215   480   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02216   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 216, ) }, ... 216, ) == 0x0
 02217   480   NtQueryValueKey  (216,  (216, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   480   NtClose  (216, ... ) == 0x0
 02219   480   NtQueryVolumeInformationFile  (208, 2279884, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02220   480   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 216, ) }, ... 216, ) == 0x0
 02221   480   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02222   480   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 220, ) }, ... 220, ) == 0x0
 02223   480   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xc20000), {0, 0}, 57344, ) == 0x0
 02224   480   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02225   480   NtAllocateVirtualMemory  (-1, 4583424, 0, 4096, 4096, 4, ... 4583424, 4096, ) == 0x0
 02226   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 2277868, ... ) }, 2277868, ... ) == 0x0
 02227   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 02228   480   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 02229   480   NtClose  (224, ... ) == 0x0
 02230   480   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc30000), 0x0, 106496, ) == 0x0
 02231   480   NtClose  (228, ... ) == 0x0
 02232   480   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 02233   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 2278184, ... ) }, 2278184, ... ) == 0x0
 02234   480   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02235   480   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 02236   480   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02237   480   NtClose  (228, ... ) == 0x0
 02238   480   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02239   480   NtClose  (224, ... ) == 0x0
 02240   480   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 02241   480   NtQueryInformationFile  (224, 2278472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02242   480   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 02243   480   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xc30000), 0x0, 1028096, ) == 0x0
 02244   480   NtQueryInformationFile  (224, 2278568, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02245   480   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   480   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02247   480   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02248   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02249   480   NtQueryDirectoryFile  (232, 0, 0, 0, 2276132, 616, BothDirectory, 1,  (232, 0, 0, 0, 2276132, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02250   480   NtClose  (232, ... ) == 0x0
 02251   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02252   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02253   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2275520, ... ) }, 2275520, ... ) == 0x0
 02254   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02255   480   NtQueryDirectoryFile  (232, 0, 0, 0, 2274880, 616, BothDirectory, 1,  (232, 0, 0, 0, 2274880, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02256   480   NtClose  (232, ... ) == 0x0
 02257   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02258   480   NtQueryDirectoryFile  (232, 0, 0, 0, 2274880, 616, BothDirectory, 1,  (232, 0, 0, 0, 2274880, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02259   480   NtClose  (232, ... ) == 0x0
 02260   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02261   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02262   480   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02263   480   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02264   480   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 02265   480   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   480   NtClose  (232, ... ) == 0x0
 02267   480   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   480   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02270   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02271   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 2277800, ... ) }, 2277800, ... ) == 0x0
 02272   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02273   480   NtQueryDirectoryFile  (232, 0, 0, 0, 2277160, 616, BothDirectory, 1,  (232, 0, 0, 0, 2277160, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02274   480   NtClose  (232, ... ) == 0x0
 02275   480   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02276   480   NtQueryDirectoryFile  (232, 0, 0, 0, 2277160, 616, BothDirectory, 1,  (232, 0, 0, 0, 2277160, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02277   480   NtClose  (232, ... ) == 0x0
 02278   480   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02279   480   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02280   480   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02281   480   NtQueryVolumeInformationFile  (208, 2278444, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02282   480   NtQueryInformationFile  (208, 2278424, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02283   480   NtQueryInformationFile  (208, 2278464, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02284   480   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02285   480   NtUnmapViewOfSection  (-1, 0xc30000, ... ) == 0x0
 02286   480   NtClose  (228, ... ) == 0x0
 02287   480   NtClose  (224, ... ) == 0x0
 02288   480   NtClose  (208, ... ) == 0x0
 02289   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 2279860, ... ) }, 2279860, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   480   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 2279860, ... ) }, 2279860, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 2279860, ... ) }, 2279860, ... ) == 0x0
 02292   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 2280576, ... ) }, 2280576, ... ) == 0x0
 02293   480   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02294   480   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... 224, ) == 0x0
 02295   480   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   480   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02297   480   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   480   NtCreateProcessEx  (2282512, 2035711, 0, -1, 0, 224, 0, 0, 0, ... ) == 0x0
 02299   480   NtSetInformationProcess  (228, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02300   480   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=784,ParentPid=460,}, 0x0, ) == 0x0
 02301   480   NtReadVirtualMemory  (228, 0x7ffdf008, 4, ...  (228, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02302   480   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   480   NtAllocateVirtualMemory  (-1, 4587520, 0, 8192, 4096, 4, ... 4587520, 8192, ) == 0x0
 02304   480   NtReadVirtualMemory  (228, 0x4ad00000, 4096, ...  (228, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02305   480   NtReadVirtualMemory  (228, 0x4ad3b000, 256, ...  (228, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02306   480   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02307   480   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=784,ParentPid=460,}, 0x0, ) == 0x0
 02308   480   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 2280576, ... ) }, 2280576, ... ) == 0x0
 02309   480   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 12779520, 4096, ) == 0x0
 02310   480   NtAllocateVirtualMemory  (228, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02311   480   NtWriteVirtualMemory  (228, 0x10000,  (228, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02312   480   NtAllocateVirtualMemory  (228, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02313   480   NtWriteVirtualMemory  (228, 0x20000,  (228, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02314   480   NtWriteVirtualMemory  (228, 0x7ffdf010,  (228, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02315   480   NtWriteVirtualMemory  (228, 0x7ffdf1e8,  (228, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02316   480   NtFreeVirtualMemory  (-1, (0xc30000), 0, 32768, ... (0xc30000), 4096, ) == 0x0
 02317   480   NtAllocateVirtualMemory  (228, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02318   480   NtAllocateVirtualMemory  (228, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02319   480   NtCreateThread  (0x1f03ff, 0x0, 228, 2280776, 2281496, 1, ... 232, {784, 716}, ) == 0x0
 02320   480   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 2282608, 0, 0}  (24, {168, 196, new_msg, 0, 0, 2282608, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 460, 480, 1557, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ) \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0 (24, {168, 196, new_msg, 0, 0, 2282608, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 460, 480, 1557, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ) \0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326 (24, {168, 196, new_msg, 0, 0, 2282608, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 460, 480, 1557, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\20\3\0\0\314\2\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02321   480   NtResumeThread  (232, ... 1, ) == 0x0
 02322   480   NtClose  (208, ... ) == 0x0
 02323   480   NtClose  (224, ... ) == 0x0
 02324   480   NtClose  (214, ... ) == 0x0
 02325   480   NtClose  (202, ... ) == 0x0
 02326   480   NtClose  (206, ... ) == 0x0
 02327   480   NtClose  (228, ... ) == 0x0
 02328   480   NtClose  (232, ... ) == 0x0
 02329   480   NtUserDestroyWindow  (131248, ...
 02330   480   NtUserRemoveProp  (131248, 43288, ... ) == 0xffffffff
 02331   480   NtUserRemoveProp  (131248, 43282, ... ) == 0x0
 02332   480   NtUserRemoveProp  (131248, 43287, ... ) == 0x0
 02329   480   NtUserDestroyWindow  ... ) == 0x1
 02333   480   NtUserUnregisterClass  (2285956, 1998258176, 2285944, ... ) == 0x1
 02334   480   NtTerminateProcess  (0, 0, ... ) == 0x0
 02335   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02336   480   NtWaitForMultipleObjects  (2, (168, 160, ), 1, 0, 0x0, ... ) == 0x1
 02337   480   NtClose  (160, ... ) == 0x0
 02338   480   NtSetEvent  (168, ... 0x0, ) == 0x0
 02339   480   NtClose  (168, ... ) == 0x0
 02340   480   NtWaitForMultipleObjects  (2, (176, 180, ), 1, 0, 0x0, ... ) == 0x1
 02341   480   NtClose  (180, ... ) == 0x0
 02342   480   NtSetEvent  (176, ... 0x0, ) == 0x0
 02343   480   NtClose  (176, ... ) == 0x0
 02344   480   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02345   480   NtClose  (188, ... ) == 0x0
 02346   480   NtSetEvent  (184, ... 0x0, ) == 0x0
 02347   480   NtClose  (184, ... ) == 0x0
 02348   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02349   480   NtUnmapViewOfSection  (-1, 0xbc0000, ... ) == 0x0
 02350   480   NtClose  (108, ... ) == 0x0
 02351   480   NtGdiDeleteObjectApp  (51381216, ... ) == 0x1
 02352   480   NtUserGetProcessWindowStation  (... ) == 0x28
 02353   480   NtUserBuildNameList  (40, 256, 4472456, 2290420, ... ) == 0x0
 02354   480   NtUserGetProcessWindowStation  (... ) == 0x28
 02355   480   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 02356   480   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x70030, 0x20062, 0x10082, 0x10078, 0x10068, 0x30044, 0x10066, 0x30046, 0x30036, 0x1009c, 0x10090, 0x10080, 0x10026, 0x300b0, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b2, 0x100ae, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x2005e, 0x1006c, 0x5004a, 0x4004e, 0x50048, 0x10086, 0x1007a, 0x1, ), 38, ) == 0x0
 02357   480   NtUserQueryWindow  (65706, 0, ... ) == 0x7d8
 02358   480   NtUserQueryWindow  (65706, 1, ... ) == 0x7dc
 02359   480   NtUserQueryWindow  (65704, 0, ... ) == 0x7d8
 02360   480   NtUserQueryWindow  (65704, 1, ... ) == 0x7dc
 02361   480   NtUserQueryWindow  (65702, 0, ... ) == 0x7d8
 02362   480   NtUserQueryWindow  (65702, 1, ... ) == 0x7dc
 02363   480   NtUserQueryWindow  (458800, 0, ... ) == 0x7d8
 02364   480   NtUserQueryWindow  (458800, 1, ... ) == 0x7dc
 02365   480   NtUserQueryWindow  (131170, 0, ... ) == 0x76c
 02366   480   NtUserQueryWindow  (131170, 1, ... ) == 0x780
 02367   480   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 02368   480   NtUserQueryWindow  (65666, 1, ... ) == 0x780
 02369   480   NtUserBuildHwndList  (0, 65666, 1, 0, 64, ... (0x10084, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 02370   480   NtUserQueryWindow  (65668, 0, ... ) == 0x76c
 02371   480   NtUserQueryWindow  (65668, 1, ... ) == 0x780
 02372   480   NtUserQueryWindow  (65674, 0, ... ) == 0x76c
 02373   480   NtUserQueryWindow  (65674, 1, ... ) == 0x780
 02374   480   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 02375   480   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 02376   480   NtUserQueryWindow  (65678, 0, ... ) == 0x76c
 02377   480   NtUserQueryWindow  (65678, 1, ... ) == 0x780
 02378   480   NtUserQueryWindow  (65682, 0, ... ) == 0x76c
 02379   480   NtUserQueryWindow  (65682, 1, ... ) == 0x780
 02380   480   NtUserQueryWindow  (65684, 0, ... ) == 0x76c
 02381   480   NtUserQueryWindow  (65684, 1, ... ) == 0x780
 02382   480   NtUserQueryWindow  (65686, 0, ... ) == 0x76c
 02383   480   NtUserQueryWindow  (65686, 1, ... ) == 0x780
 02384   480   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 02385   480   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 02386   480   NtUserQueryWindow  (65690, 0, ... ) == 0x76c
 02387   480   NtUserQueryWindow  (65690, 1, ... ) == 0x780
 02388   480   NtUserQueryWindow  (65694, 0, ... ) == 0x76c
 02389   480   NtUserQueryWindow  (65694, 1, ... ) == 0x780
 02390   480   NtUserQueryWindow  (65696, 0, ... ) == 0x76c
 02391   480   NtUserQueryWindow  (65696, 1, ... ) == 0x780
 02392   480   NtUserQueryWindow  (65698, 0, ... ) == 0x76c
 02393   480   NtUserQueryWindow  (65698, 1, ... ) == 0x780
 02394   480   NtUserQueryWindow  (65656, 0, ... ) == 0x76c
 02395   480   NtUserQueryWindow  (65656, 1, ... ) == 0x780
 02396   480   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 02397   480   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 02398   480   NtUserQueryWindow  (196676, 0, ... ) == 0x76c
 02399   480   NtUserQueryWindow  (196676, 1, ... ) == 0x780
 02400   480   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 02401   480   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 02402   480   NtUserQueryWindow  (196678, 0, ... ) == 0x76c
 02403   480   NtUserQueryWindow  (196678, 1, ... ) == 0x780
 02404   480   NtUserQueryWindow  (196662, 0, ... ) == 0x76c
 02405   480   NtUserQueryWindow  (196662, 1, ... ) == 0x780
 02406   480   NtUserBuildHwndList  (0, 196662, 1, 0, 64, ... (0x30038, 0x3003c, 0x3003a, 0x3003e, 0x30040, 0x30042, 0x1006a, 0x10072, 0x10076, 0x1, ), 10, ) == 0x0
 02407   480   NtUserQueryWindow  (196664, 0, ... ) == 0x76c
 02408   480   NtUserQueryWindow  (196664, 1, ... ) == 0x780
 02409   480   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 02410   480   NtUserQueryWindow  (196668, 1, ... ) == 0x780
 02411   480   NtUserQueryWindow  (196666, 0, ... ) == 0x76c
 02412   480   NtUserQueryWindow  (196666, 1, ... ) == 0x780
 02413   480   NtUserQueryWindow  (196670, 0, ... ) == 0x76c
 02414   480   NtUserQueryWindow  (196670, 1, ... ) == 0x780
 02415   480   NtUserQueryWindow  (196672, 0, ... ) == 0x76c
 02416   480   NtUserQueryWindow  (196672, 1, ... ) == 0x780
 02417   480   NtUserQueryWindow  (196674, 0, ... ) == 0x76c
 02418   480   NtUserQueryWindow  (196674, 1, ... ) == 0x780
 02419   480   NtUserQueryWindow  (65642, 0, ... ) == 0x76c
 02420   480   NtUserQueryWindow  (65642, 1, ... ) == 0x780
 02421   480   NtUserQueryWindow  (65650, 0, ... ) == 0x76c
 02422   480   NtUserQueryWindow  (65650, 1, ... ) == 0x780
 02423   480   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 02424   480   NtUserQueryWindow  (65654, 1, ... ) == 0x780
 02425   480   NtUserQueryWindow  (65692, 0, ... ) == 0x76c
 02426   480   NtUserQueryWindow  (65692, 1, ... ) == 0x780
 02427   480   NtUserQueryWindow  (65680, 0, ... ) == 0x76c
 02428   480   NtUserQueryWindow  (65680, 1, ... ) == 0x780
 02429   480   NtUserQueryWindow  (65664, 0, ... ) == 0x76c
 02430   480   NtUserQueryWindow  (65664, 1, ... ) == 0x770
 02431   480   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02432   480   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02433   480   NtUserQueryWindow  (196784, 0, ... ) == 0x310
 02434   480   NtUserQueryWindow  (196784, 1, ... ) == 0x2cc
 02435   480   NtUserQueryWindow  (65726, 0, ... ) == 0x7e0
 02436   480   NtUserQueryWindow  (65726, 1, ... ) == 0x7e4
 02437   480   NtUserQueryWindow  (65724, 0, ... ) == 0x7e0
 02438   480   NtUserQueryWindow  (65724, 1, ... ) == 0x7e4
 02439   480   NtUserQueryWindow  (65722, 0, ... ) == 0x7e0
 02440   480   NtUserQueryWindow  (65722, 1, ... ) == 0x7e4
 02441   480   NtUserQueryWindow  (65720, 0, ... ) == 0x7e0
 02442   480   NtUserQueryWindow  (65720, 1, ... ) == 0x7e4
 02443   480   NtUserQueryWindow  (65718, 0, ... ) == 0x7e0
 02444   480   NtUserQueryWindow  (65718, 1, ... ) == 0x7e4
 02445   480   NtUserQueryWindow  (65716, 0, ... ) == 0x7e0
 02446   480   NtUserQueryWindow  (65716, 1, ... ) == 0x7e4
 02447   480   NtUserQueryWindow  (65714, 0, ... ) == 0x7e0
 02448   480   NtUserQueryWindow  (65714, 1, ... ) == 0x7e4
 02449   480   NtUserQueryWindow  (65710, 0, ... ) == 0x7e0
 02450   480   NtUserQueryWindow  (65710, 1, ... ) == 0x7e4
 02451   480   NtUserQueryWindow  (131168, 0, ... ) == 0x7ec
 02452   480   NtUserQueryWindow  (131168, 1, ... ) == 0x7f0
 02453   480   NtUserQueryWindow  (65740, 0, ... ) == 0x76c
 02454   480   NtUserQueryWindow  (65740, 1, ... ) == 0x108
 02455   480   NtUserQueryWindow  (65730, 0, ... ) == 0x76c
 02456   480   NtUserQueryWindow  (65730, 1, ... ) == 0x108
 02457   480   NtUserBuildHwndList  (0, 65730, 1, 0, 64, ... (0x100c4, 0x100c6, 0x100c8, 0x100ca, 0x1, ), 5, ) == 0x0
 02458   480   NtUserQueryWindow  (65732, 0, ... ) == 0x76c
 02459   480   NtUserQueryWindow  (65732, 1, ... ) == 0x108
 02460   480   NtUserQueryWindow  (65734, 0, ... ) == 0x76c
 02461   480   NtUserQueryWindow  (65734, 1, ... ) == 0x108
 02462   480   NtUserQueryWindow  (65736, 0, ... ) == 0x76c
 02463   480   NtUserQueryWindow  (65736, 1, ... ) == 0x108
 02464   480   NtUserQueryWindow  (65738, 0, ... ) == 0x76c
 02465   480   NtUserQueryWindow  (65738, 1, ... ) == 0x108
 02466   480   NtUserQueryWindow  (65728, 0, ... ) == 0x76c
 02467   480   NtUserQueryWindow  (65728, 1, ... ) == 0x780
 02468   480   NtUserQueryWindow  (65708, 0, ... ) == 0x7d8
 02469   480   NtUserQueryWindow  (65708, 1, ... ) == 0x7dc
 02470   480   NtUserQueryWindow  (131166, 0, ... ) == 0x7d0
 02471   480   NtUserQueryWindow  (131166, 1, ... ) == 0x7d4
 02472   480   NtUserQueryWindow  (65644, 0, ... ) == 0x76c
 02473   480   NtUserQueryWindow  (65644, 1, ... ) == 0x7b8
 02474   480   NtUserQueryWindow  (327754, 0, ... ) == 0x76c
 02475   480   NtUserQueryWindow  (327754, 1, ... ) == 0x770
 02476   480   NtUserQueryWindow  (262222, 0, ... ) == 0x76c
 02477   480   NtUserQueryWindow  (262222, 1, ... ) == 0x770
 02478   480   NtUserQueryWindow  (327752, 0, ... ) == 0x76c
 02479   480   NtUserQueryWindow  (327752, 1, ... ) == 0x770
 02480   480   NtUserQueryWindow  (65670, 0, ... ) == 0x76c
 02481   480   NtUserQueryWindow  (65670, 1, ... ) == 0x770
 02482   480   NtUserQueryWindow  (65658, 0, ... ) == 0x76c
 02483   480   NtUserQueryWindow  (65658, 1, ... ) == 0x770
 02484   480   NtUserBuildHwndList  (0, 65658, 1, 0, 64, ... (0x1007c, 0x1007e, 0x1, ), 3, ) == 0x0
 02485   480   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 02486   480   NtUserQueryWindow  (65660, 1, ... ) == 0x770
 02487   480   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 02488   480   NtUserQueryWindow  (65662, 1, ... ) == 0x770
 02489   480   NtUserCloseDesktop  (108, ...
 02490   480   NtClose  (108, ... ) == 0x0
 02489   480   NtUserCloseDesktop  ... ) == 0x1
 02491   480   NtUserGetProcessWindowStation  (... ) == 0x28
 02492   480   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02493   480   NtUserGetProcessWindowStation  (... ) == 0x28
 02494   480   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02495   480   NtGdiDeleteObjectApp  (185205757, ... ) == 0x1
 02496   480   NtGdiDeleteObjectApp  (134874094, ... ) == 0x1
 02497   480   NtClose  (100, ... ) == 0x0
 02498   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02499   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc03b
 02500   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02501   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc03d
 02502   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02503   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc03f
 02504   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02505   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc041
 02506   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02507   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc043
 02508   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02509   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc045
 02510   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02511   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc047
 02512   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02513   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc049
 02514   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02515   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc04b
 02516   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02517   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc04d
 02518   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02519   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc04f
 02520   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02521   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc051
 02522   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02523   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc053
 02524   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02525   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc057
 02526   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02527   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc059
 02528   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02529   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc05b
 02530   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02531   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc05d
 02532   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02533   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc05f
 02534   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02535   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc017
 02536   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02537   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc019
 02538   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02539   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc018
 02540   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02541   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc01a
 02542   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02543   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc01c
 02544   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02545   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc01e
 02546   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02547   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc01b
 02548   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02549   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc068
 02550   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02551   480   NtUserGetClassInfo  (1905590272, 2290468, 2290420, 2290496, 0, ... ) == 0xc06a
 02552   480   NtUserUnregisterClass  (2290472, 1905590272, 2290460, ... ) == 0x1
 02553   480   NtUnmapViewOfSection  (-1, 0xaa0000, ... ) == 0x0
 02554   480   NtClose  (72, ... ) == 0x0
 02555   480   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02556   480   NtClose  (76, ... ) == 0x0
 02557   480   NtClose  (68, ... ) == 0x0
 02558   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02559   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc03b
 02560   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02561   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc03d
 02562   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02563   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc03f
 02564   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02565   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc041
 02566   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02567   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc043
 02568   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02569   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc045
 02570   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02571   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc047
 02572   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02573   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc049
 02574   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02575   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc04b
 02576   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02577   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc04d
 02578   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02579   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc04f
 02580   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02581   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc051
 02582   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02583   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc053
 02584   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02585   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc057
 02586   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02587   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc059
 02588   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02589   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc05b
 02590   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02591   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc05d
 02592   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02593   480   NtUserGetClassInfo  (1999896576, 2290468, 2290420, 2290496, 0, ... ) == 0xc05f
 02594   480   NtUserUnregisterClass  (2290472, 1999896576, 2290460, ... ) == 0x1
 02595   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02596   480   NtClose  (172, ... ) == 0x0
 02597   480   NtClose  (148, ... ) == 0x0
 02598   480   NtClose  (164, ... ) == 0x0
 02599   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02600   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02601   480   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02602   480   NtClose  (152, ... ) == 0x0
 02603   480   NtClose  (156, ... ) == 0x0
 02604   480   NtClose  (104, ... ) == 0x0
 02605   480   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02606   480   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 460, 480, 1582, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 460, 480, 1582, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 460, 480, 1582, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02607   480   NtTerminateProcess  (-1, 0, ...
 02608   480   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtAdjustPrivilegesToken(>)	2	NtGdiGetStockObject(>)	5	NtUserRegisterWindowMessage(>)	19
NtAddAtom(>)	1	NtContinue(>)	2	NtUserBuildHwndList(>)	5	NtOpenThreadToken(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtWriteFile(>)	5	NtUnmapViewOfSection(>)	21
NtConnectPort(>)	1	NtEnumerateKey(>)	2	NtCreateSemaphore(>)	6	NtCreateKey(>)	22
NtCreateProcessEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtCreateSection(>)	27
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultLocale(>)	6	NtQueryInformationFile(>)	27
NtDeleteValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtQuerySymbolicLinkObject(>)	6	NtOpenSection(>)	29
NtGdiCreateBitmap(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	6	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtQueryVirtualMemory(>)	2	NtQueryDefaultUILanguage(>)	8	NtWaitForSingleObject(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtReleaseMutant(>)	2	NtSetInformationFile(>)	8	NtProtectVirtualMemory(>)	36
NtGdiSelectBitmap(>)	1	NtTerminateProcess(>)	2	NtQueryVolumeInformationFile(>)	9	NtUserUnregisterClass(>)	46
NtNotifyChangeKey(>)	1	NtUserCloseDesktop(>)	2	NtFsControlFile(>)	10	NtMapViewOfSection(>)	48
NtOpenKeyedEvent(>)	1	NtUserCreateWindowEx(>)	2	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtUserDestroyWindow(>)	2	NtQuerySection(>)	11	NtQueryInformationProcess(>)	51
NtQueryInformationJobObject(>)	1	NtUserMessageCall(>)	2	NtRequestWaitReplyPort(>)	11	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtDuplicateObject(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtEnumerateValueKey(>)	3	NtLockFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUnlockFile(>)	13	NtQueryAttributesFile(>)	68
NtResumeThread(>)	1	NtGdiDeleteObjectApp(>)	3	NtCreateEvent(>)	14	NtQueryInformationToken(>)	72
NtSecureConnectPort(>)	1	NtOpenEvent(>)	3	NtOpenProcessToken(>)	14	NtQueryKey(>)	73
NtTestAlert(>)	1	NtReadVirtualMemory(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserBuildNameList(>)	1	NtSetEvent(>)	3	NtQueryDebugFilterState(>)	16	NtAllocateVirtualMemory(>)	88
NtUserGetAtomName(>)	1	NtUserGetObjectInformation(>)	3	NtFlushInstructionCache(>)	17	NtQuerySystemInformation(>)	88
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtFreeVirtualMemory(>)	17	NtOpenFile(>)	90
NtUserGetForegroundWindow(>)	1	NtUserRemoveProp(>)	3	NtQueryDirectoryFile(>)	17	NtQueryValueKey(>)	125
NtUserGetGUIThreadInfo(>)	1	NtWaitForMultipleObjects(>)	3	NtReadFile(>)	17	NtUserQueryWindow(>)	128
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtSetInformationThread(>)	17	NtOpenKey(>)	288
NtUserSetProp(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	18	NtClose(>)	385