Summary:


NtAddAtom(>)  1 
NtUserGetThreadDesktop(>)  1 
NtQueryVirtualMemory(>)  5 
NtQueryInformationProcess(>)  18 

NtCallbackReturn(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtSetInformationProcess(>)  5 
NtUserRegisterWindowMessage(>)  18 

NtClearEvent(>)  1 
NtContinue(>)  2 
NtSetInformationThread(>)  5 
NtOpenSection(>)  22 

NtConnectPort(>)  1 
NtCreateIoCompletion(>)  2 
NtOpenThreadToken(>)  6 
NtQueryAttributesFile(>)  22 

NtCreateSemaphore(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryVolumeInformationFile(>)  6 
NtOpenProcessTokenEx(>)  27 

NtEnumerateValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtFsControlFile(>)  7 
NtOpenThreadTokenEx(>)  27 

NtFreeVirtualMemory(>)  1 
NtOpenEvent(>)  2 
NtQueryDefaultLocale(>)  7 
NtQueryKey(>)  28 

NtGdiCreateBitmap(>)  1 
NtReadFile(>)  2 
NtQueryDirectoryFile(>)  7 
NtMapViewOfSection(>)  31 

NtGdiInit(>)  1 
NtSetEvent(>)  2 
NtQuerySection(>)  7 
NtQueryInformationToken(>)  31 

NtGdiQueryFontAssocInfo(>)  1 
NtSetThreadExecutionState(>)  2 
NtOpenProcessToken(>)  8 
NtDeviceIoControlFile(>)  42 

NtGdiSelectBitmap(>)  1 
NtUserGetDC(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtAllocateVirtualMemory(>)  45 

NtOpenKeyedEvent(>)  1 
NtUserQueryWindow(>)  2 
NtQueryInformationFile(>)  8 
NtOpenFile(>)  47 

NtOpenProcess(>)  1 
NtWriteFile(>)  2 
NtUnmapViewOfSection(>)  8 
NtUserFindExistingCursorIcon(>)  52 

NtQueryInstallUILanguage(>)  1 
NtAccessCheck(>)  3 
NtCreateFile(>)  9 
NtUserRegisterClassExWOW(>)  61 

NtQueryObject(>)  1 
NtDuplicateObject(>)  3 
NtQueryDebugFilterState(>)  9 
NtQuerySystemInformation(>)  73 

NtQuerySystemTime(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtRequestWaitReplyPort(>)  11 
NtFlushInstructionCache(>)  78 

NtRegisterThreadTerminatePort(>)  1 
NtUserCallOneParam(>)  3 
NtUserSystemParametersInfo(>)  11 
NtDelayExecution(>)  85 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  4 
NtCreateEvent(>)  13 
NtQueryValueKey(>)  98 

NtTestAlert(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationFile(>)  14 
NtOpenKey(>)  147 

NtUserCallNoParam(>)  1 
NtGdiGetStockObject(>)  5 
NtCreateKey(>)  15 
NtProtectVirtualMemory(>)  158 

NtUserGetObjectInformation(>)  1 
NtOpenSymbolicLinkObject(>)  5 
NtCreateSection(>)  15 
NtClose(>)  213 

NtUserGetProcessWindowStation(>)  1 
NtQuerySymbolicLinkObject(>)  5 
NtSetValueKey(>)  17 

Trace:
 00001  1744   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1744   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1744   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1744   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1744   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1744   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1744   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1744   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1744   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1744   NtClose  (12, ... ) == 0x0
 00015  1744   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1744   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1744   NtClose  (16, ... ) == 0x0
 00021  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1744   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1744   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1744   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1744   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1744   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 19136512}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1744   NtClose  (16, ... ) == 0x0
 00030  1744   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1744   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1744   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1744   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75470, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6$\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" ... {28, 56, reply, 0, 1736, 1744, 75470, 0} "\330<\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6$\1\4\0\0\0" )  ) == 0x0
 00036  1744   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1744   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1744   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1744   NtClose  (16, ... ) == 0x0
 00041  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1744   NtClose  (16, ... ) == 0x0
 00044  1744   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1744   NtClose  (16, ... ) == 0x0
 00048  1744   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1744   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1744   NtClose  (16, ... ) == 0x0
 00052  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1744   NtClose  (16, ... ) == 0x0
 00055  1744   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1744   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1744   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ... {24, 52, reply, 0, 1736, 1744, 75471, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6$\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" ... {24, 52, reply, 0, 1736, 1744, 75471, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6$\1p\30\0\0" )  ) == 0x0
 00060  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75472, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6$\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" ... {28, 56, reply, 0, 1736, 1744, 75472, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6$\18\6\0\0" )  ) == 0x0
 00061  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 8, ) == 0x0
 00062  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 8, ... (0x43f000), 4096, 4, ) == 0x0
 00063  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00064  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00065  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00066  1744   NtClose  (16, ... ) == 0x0
 00067  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00068  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00069  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00070  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00071  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00072  1744   NtClose  (16, ... ) == 0x0
 00073  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00074  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00075  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00076  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00077  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00078  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00079  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00080  1744   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00081  1744   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00082  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00083  1744   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00084  1744   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00085  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00086  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00087  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00088  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MFC42.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00089  1744   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00090  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MFC42.DLL"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091  1744   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00092  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42.DLL"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00093  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00094  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00095  1744   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00096  1744   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00097  1744   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00098  1744   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00099  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00100  1744   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00101  1744   NtClose  (36, ... ) == 0x0
 00102  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00103  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00104  1744   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00105  1744   NtClose  (36, ... ) == 0x0
 00106  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1744   NtClose  (32, ... ) == 0x0
 00108  1744   NtClose  (16, ... ) == 0x0
 00109  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x73dd0000), 0x0, 1040384, ) == 0x0
 00110  1744   NtClose  (28, ... ) == 0x0
 00111  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00112  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00113  1744   NtClose  (28, ... ) == 0x0
 00114  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00115  1744   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00116  1744   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00117  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00118  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00119  1744   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00120  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00121  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00122  1744   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00123  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00124  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00125  1744   NtClose  (28, ... ) == 0x0
 00126  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00127  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00128  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00129  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00130  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00131  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00132  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00133  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00134  1744   NtClose  (28, ... ) == 0x0
 00135  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00136  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00137  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00138  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00139  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00140  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00141  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00142  1744   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00143  1744   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00144  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00145  1744   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00146  1744   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00147  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00148  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00149  1744   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00150  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 2112, 4, ... (0x73e76000), 4096, 2, ) == 0x0
 00151  1744   NtProtectVirtualMemory  (-1, (0x73e76000), 4096, 2, ... (0x73e76000), 4096, 4, ) == 0x0
 00152  1744   NtFlushInstructionCache  (-1, 1944543232, 2112, ... ) == 0x0
 00153  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00154  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00155  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00156  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCIRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00157  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCIRT.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00158  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCIRT.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00159  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCIRT.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00160  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0
 00161  1744   NtQuerySection  (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00162  1744   NtClose  (28, ... ) == 0x0
 00163  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x400000), 0x0, 69632, ) == 0x0
 00164  1744   NtClose  (16, ... ) == 0x0
 00165  1744   NtProtectVirtualMemory  (-1, (0x401000), 228, 4, ... (0x401000), 4096, 32, ) == 0x0
 00166  1744   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00167  1744   NtFlushInstructionCache  (-1, 4198400, 228, ... ) == 0x0
 00168  1744   NtProtectVirtualMemory  (-1, (0x401000), 228, 4, ... (0x401000), 4096, 32, ) == 0x0
 00169  1744   NtProtectVirtualMemory  (-1, (0x401000), 4096, 32, ... (0x401000), 4096, 4, ) == 0x0
 00170  1744   NtFlushInstructionCache  (-1, 4198400, 228, ... ) == 0x0
 00171  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00172  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00173  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00174  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00175  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MSVCP60.dll"}, 1242572, ... ) }, 1242572, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 1242572, ... ) }, 1242572, ... ) == 0x0
 00177  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MSVCP60.dll"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00178  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00179  1744   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00180  1744   NtClose  (16, ... ) == 0x0
 00181  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76080000), 0x0, 413696, ) == 0x0
 00182  1744   NtClose  (28, ... ) == 0x0
 00183  1744   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00184  1744   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00185  1744   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00186  1744   NtProtectVirtualMemory  (-1, (0x760ac000), 392, 4, ... (0x760ac000), 4096, 2, ) == 0x0
 00187  1744   NtProtectVirtualMemory  (-1, (0x760ac000), 4096, 2, ... (0x760ac000), 4096, 4, ) == 0x0
 00188  1744   NtFlushInstructionCache  (-1, 1980416000, 392, ... ) == 0x0
 00189  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00190  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00191  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00192  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00193  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00194  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00195  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ole32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00196  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x774e0000), 0x0, 1298432, ) == 0x0
 00197  1744   NtClose  (28, ... ) == 0x0
 00198  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00199  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00200  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00201  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00202  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00203  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00204  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00205  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00206  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00207  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00208  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00209  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00210  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00211  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00212  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00213  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00214  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00215  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00216  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 2352, 4, ... (0x774e1000), 4096, 32, ) == 0x0
 00217  1744   NtProtectVirtualMemory  (-1, (0x774e1000), 4096, 32, ... (0x774e1000), 4096, 4, ) == 0x0
 00218  1744   NtFlushInstructionCache  (-1, 2001604608, 2352, ... ) == 0x0
 00219  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00220  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00221  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00222  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00223  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00224  1744   NtClose  (28, ... ) == 0x0
 00225  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00226  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00227  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00228  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00229  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00230  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00231  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00232  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00233  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00234  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00235  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00236  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00237  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00238  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00239  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00240  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00241  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00242  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00243  1744   NtProtectVirtualMemory  (-1, (0x77121000), 1272, 4, ... (0x77121000), 4096, 32, ) == 0x0
 00244  1744   NtProtectVirtualMemory  (-1, (0x77121000), 4096, 32, ... (0x77121000), 4096, 4, ) == 0x0
 00245  1744   NtFlushInstructionCache  (-1, 1997672448, 1272, ... ) == 0x0
 00246  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00247  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00248  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00249  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00250  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c9c0000), 0x0, 8482816, ) == 0x0
 00251  1744   NtClose  (28, ... ) == 0x0
 00252  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00253  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00254  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00255  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00256  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00257  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00258  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00259  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00260  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00261  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00262  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00263  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00264  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00265  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00266  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00267  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00268  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00269  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00270  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00271  1744   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f60000), 0x0, 483328, ) == 0x0
 00272  1744   NtClose  (28, ... ) == 0x0
 00273  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00274  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00275  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00276  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00277  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00278  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00279  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00280  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00281  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00282  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00283  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00284  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00285  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 2076, 4, ... (0x77f61000), 4096, 32, ) == 0x0
 00286  1744   NtProtectVirtualMemory  (-1, (0x77f61000), 4096, 32, ... (0x77f61000), 4096, 4, ) == 0x0
 00287  1744   NtFlushInstructionCache  (-1, 2012614656, 2076, ... ) == 0x0
 00288  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00289  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00290  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00291  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 4476, 4, ... (0x7c9c1000), 8192, 32, ) == 0x0
 00292  1744   NtProtectVirtualMemory  (-1, (0x7c9c1000), 8192, 32, ... (0x7c9c1000), 8192, 4, ) == 0x0
 00293  1744   NtFlushInstructionCache  (-1, 2090602496, 4476, ... ) == 0x0
 00294  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00295  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00296  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00297  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00298  1744   NtProtectVirtualMemory  (-1, (0x43f000), 4096, 4, ... (0x43f000), 4096, 4, ) == 0x0
 00299  1744   NtFlushInstructionCache  (-1, 4452352, 4096, ... ) == 0x0
 00300  1744   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00301  1744   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00302  1744   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00303  1744   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00304  1744   NtClose  (28, ... ) == 0x0
 00305  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00306  1744   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00307  1744   NtClose  (28, ... ) == 0x0
 00308  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00311  1744   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00312  1744   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00313  1744   NtClose  (28, ... ) == 0x0
 00314  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00315  1744   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00316  1744   NtClose  (28, ... ) == 0x0
 00317  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00318  1744   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00319  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00320  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00322  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00323  1744   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00324  1744   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00325  1744   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00326  1744   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 16, ) }, ... 16, ) == 0x0
 00327  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00328  1744   NtClose  (16, ... ) == 0x0
 00329  1744   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00330  1744   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00331  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00332  1744   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00333  1744   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00334  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00335  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00336  1744   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6$\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75480, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ... {28, 56, reply, 0, 1736, 1744, 75480, 0}  (24, {28, 56, new_msg, 0, 256, 1243092, 256, 1242836} "\210\6$\1\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" ... {28, 56, reply, 0, 1736, 1744, 75480, 0} "\320G\26\0\0\0\0\0\0\0\0\0\1\0\0\0\3\0\0\0\234\6$\1$\1\0\0" )  ) == 0x0
 00337  1744   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00338  1744   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00339  1744   NtClose  (16, ... ) == 0x0
 00340  1744   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00341  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239420, ... ) }, 1239420, ... ) == 0x0
 00342  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00343  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 32, ) == 0x0
 00344  1744   NtClose  (16, ... ) == 0x0
 00345  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00346  1744   NtClose  (32, ... ) == 0x0
 00347  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00348  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239328, ... ) }, 1239328, ... ) == 0x0
 00349  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00350  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 32, ... 16, ) == 0x0
 00351  1744   NtClose  (32, ... ) == 0x0
 00352  1744   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x340000), 0x0, 110592, ) == 0x0
 00353  1744   NtClose  (16, ... ) == 0x0
 00354  1744   NtUnmapViewOfSection  (-1, 0x340000, ... ) == 0x0
 00355  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239636, ... ) }, 1239636, ... ) == 0x0
 00356  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00357  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 32, ) == 0x0
 00358  1744   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00359  1744   NtClose  (16, ... ) == 0x0
 00360  1744   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00361  1744   NtClose  (32, ... ) == 0x0
 00362  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00363  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00364  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00365  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00366  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00367  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00368  1744   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00369  1744   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00370  1744   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00371  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00372  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00373  1744   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00374  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236552, ... ) }, 1236552, ... ) == 0x0
 00375  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00376  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00377  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00378  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MFC42.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00379  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCIRT.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00380  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00381  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00384  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00385  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239956, ... ) }, 1239956, ... ) == 0x0
 00386  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00387  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 32, ) }, ... 32, ) == 0x0
 00388  1744   NtQueryValueKey  (32,  (32, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00389  1744   NtClose  (32, ... ) == 0x0
 00390  1744   NtMapViewOfSection  (-2147482576, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x510000), 0x0, 1060864, ) == 0x0
 00391  1744   NtClose  (-2147482576, ... ) == 0x0
 00392  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00393  1744   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00394  1744   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482576, ) == 0x0
 00395  1744   NtQueryInformationToken  (-2147482576, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00396  1744   NtQueryInformationToken  (-2147482576, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00397  1744   NtClose  (-2147482576, ... ) == 0x0
 00398  1744   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00399  1744   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00400  1744   NtDuplicateObject  (-1, 16, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00401  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00402  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403  1744   NtClose  (-2147482576, ... ) == 0x0
 00404  1744   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00405  1744   NtQueryValueKey  (-2147482576,  (-2147482576, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406  1744   NtClose  (-2147482576, ... ) == 0x0
 00407  1744   NtQueryDefaultLocale  (0, -134731444, ... ) == 0x0
 00408  1744   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00409  1744   NtUserCallNoParam  (24, ... ) == 0x0
 00410  1744   NtGdiCreateCompatibleDC  (0, ...
 00411  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00410  1744   NtGdiCreateCompatibleDC  ... ) == 0xf2010663
 00412  1744   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00413  1744   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00414  1744   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0xfd0505f7
 00415  1744   NtGdiCreateSolidBrush  (0, 0, ...
 00416  1744   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00415  1744   NtGdiCreateSolidBrush  ... ) == 0x4210057d
 00417  1744   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00418  1744   NtGdiCreateCompatibleDC  (0, ... ) == 0x69010363
 00419  1744   NtGdiSelectBitmap  (1761674083, -50002441, ... ) == 0x185000f
 00420  1744   NtUserGetThreadDesktop  (1744, 0, ... ) == 0x24
 00421  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00422  1744   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00423  1744   NtClose  (44, ... ) == 0x0
 00424  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00425  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 673, 128, 0, ... ) == 0x8172c017
 00426  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00427  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 674, 128, 0, ... ) == 0x8172c01c
 00428  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00429  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 675, 128, 0, ... ) == 0x8172c01e
 00430  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00431  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 676, 128, 0, ... ) == 0x81728002
 00432  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10013
 00433  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 677, 128, 0, ... ) == 0x8172c018
 00434  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00435  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 678, 128, 0, ... ) == 0x8172c01a
 00436  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00437  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 679, 128, 0, ... ) == 0x8172c01d
 00438  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00439  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 681, 128, 0, ... ) == 0x8172c026
 00440  1744   NtUserFindExistingCursorIcon  (1241132, 1241148, 1241196, ... ) == 0x10011
 00441  1744   NtUserRegisterClassExWOW  (1241144, 1241212, 1241228, 1241244, 680, 128, 0, ... ) == 0x8172c019
 00442  1744   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8172c020
 00443  1744   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8172c022
 00444  1744   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8172c023
 00445  1744   NtUserRegisterClassExWOW  (1241352, 1241448, 1241432, 1241420, 0, 130, 0, ... ) == 0x8172c024
 00446  1744   NtUserRegisterClassExWOW  (1241096, 1241164, 1241180, 1241196, 0, 128, 0, ... ) == 0x8172c025
 00447  1744   NtCallbackReturn  (0, 0, 0, ...
 00448  1744   NtGdiInit  (... ) == 0x1
 00449  1744   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00450  1744   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00451  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00452  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00453  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00454  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00455  1744   NtAllocateVirtualMemory  (-1, 1331200, 0, 12288, 4096, 4, ... 1331200, 12288, ) == 0x0
 00456  1744   NtAllocateVirtualMemory  (-1, 0, 0, 524280, 8192, 4, ... 3538944, 524288, ) == 0x0
 00457  1744   NtAllocateVirtualMemory  (-1, 3538944, 0, 4096, 4096, 4, ... 3538944, 4096, ) == 0x0
 00458  1744   NtUserRegisterWindowMessage  ( ("commctrl_DragListMsg", ... ) , ... ) == 0xc0d0
 00459  1744   NtUserGetDC  (0, ... ) == 0x1010053
 00460  1744   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00461  1744   NtUserFindExistingCursorIcon  (1242880, 1242896, 1242944, ... ) == 0x10015
 00462  1744   NtUserFindExistingCursorIcon  (1242880, 1242896, 1242944, ... ) == 0x10011
 00463  1744   NtUserRegisterWindowMessage  ( ("commdlg_FindReplace", ... ) , ... ) == 0xc0d1
 00464  1744   NtUserRegisterWindowMessage  ( ("Native", ... ) , ... ) == 0xc004
 00465  1744   NtUserRegisterWindowMessage  ( ("OwnerLink", ... ) , ... ) == 0xc003
 00466  1744   NtUserRegisterWindowMessage  ( ("ObjectLink", ... ) , ... ) == 0xc002
 00467  1744   NtUserRegisterWindowMessage  ( ("Embedded Object", ... ) , ... ) == 0xc00a
 00468  1744   NtUserRegisterWindowMessage  ( ("Embed Source", ... ) , ... ) == 0xc00b
 00469  1744   NtUserRegisterWindowMessage  ( ("Link Source", ... ) , ... ) == 0xc00d
 00470  1744   NtUserRegisterWindowMessage  ( ("Object Descriptor", ... ) , ... ) == 0xc00e
 00471  1744   NtUserRegisterWindowMessage  ( ("Link Source Descriptor", ... ) , ... ) == 0xc00f
 00472  1744   NtUserRegisterWindowMessage  ( ("FileName", ... ) , ... ) == 0xc006
 00473  1744   NtUserRegisterWindowMessage  ( ("FileNameW", ... ) , ... ) == 0xc007
 00474  1744   NtUserRegisterWindowMessage  ( ("Rich Text Format", ... ) , ... ) == 0xc0d2
 00475  1744   NtUserRegisterWindowMessage  ( ("RichEdit Text and Objects", ... ) , ... ) == 0xc0d3
 00476  1744   NtUserRegisterWindowMessage  ( ("commdlg_FindReplace", ... ) , ... ) == 0xc0d1
 00477  1744   NtUserCallOneParam  (1944782608, 38, ... ) == 0x1
 00478  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00479  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00480  1744   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00481  1744   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00482  1744   NtQueryDefaultUILanguage  (2090319928, ...
 00483  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00484  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00485  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00486  1744   NtClose  (-2147482576, ... ) == 0x0
 00487  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00488  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00489  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00490  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491  1744   NtClose  (-2147481400, ... ) == 0x0
 00492  1744   NtClose  (-2147482576, ... ) == 0x0
 00482  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00493  1744   NtQueryInstallUILanguage  (2090319930, ... ) == 0x0
 00494  1744   NtQueryDefaultLocale  (1, 1242264, ... ) == 0x0
 00495  1744   NtQueryDefaultLocale  (1, 1242188, ... ) == 0x0
 00496  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42LOC.DLL"}, 1240908, ... ) }, 1240908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00497  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\MFC42LOC.DLL"}, 1241216, ... ) }, 1241216, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00498  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 44, {status=0x0, info=0}, ) }, 7, 16, ... 44, {status=0x0, info=0}, ) == 0x0
 00499  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231s\346\226[o\343\13<\347\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00500  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00501  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00502  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00503  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00504  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00505  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00506  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00507  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482576, 2, ) }, 0, 0x0, 0, ... -2147482576, 2, ) == 0x0
 00508  1744   NtSetValueKey  (-2147482576,  (-2147482576, "Seed", 0, 3, "\7|;\22\256\236wx\224,\325Q\212\10\342\336&\235\313\330->\260\244\266\230A\364\261\330\360\354\271\355_\254\13\306\345\272\3402H\260\26\356\1\3002\177\322#FC\4\331\302\311\345{\272\257i\272\270\242jM\351'\350\236\352\12\333\3352\244\21\264", 80, ... ) , 0, 3,  (-2147482576, "Seed", 0, 3, "\7|;\22\256\236wx\224,\325Q\212\10\342\336&\235\313\330->\260\244\266\230A\364\261\330\360\354\271\355_\254\13\306\345\272\3402H\260\26\356\1\3002\177\322#FC\4\331\302\311\345{\272\257i\272\270\242jM\351'\350\236\352\12\333\3352\244\21\264", 80, ... ) , 80, ... ) == 0x0
 00509  1744   NtClose  (-2147482576, ... ) == 0x0
 00499  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\333q=3\251@\323\3115\16\275\22\260\257%\270\246/\246z\255\230rcV\234\1\235\10\275\377\261\240\251y\2076\243\3\212\2502\362\24`o\220vm!\10\367}c\257\242O2\305n\240z\312\313.\337c@\2003n\3d\256\26\264\244\26\342\227\146\3770V\243nZ$\252X\205D3\310T\337\261\236\255\24e\345\224Z5\351\266\376[mx\303}\300\31B\10z\27bz\202m\311\15\211A\243\2251V'9>l\353\216\257A|XtN"t7Ykk&M\365\323"\230\363\336G\223,\307\260#\336\311w\204i!\350]r\302\33}\17\326\272\214\207|pM~\315-\372n\16\210YA\342\375\273C@`\363\353\332\367C\247\276\331\316\3006(>\254\365\371z\234j` \10x U\325bg@\334\271P<\370\362\333\266+\20\372\322\314}\266Sd\330\12\26\214\245K\252\300\365\105", ) t7Ykk&M\365\323 ... {status=0x0, info=256}, "\333q=3\251@\323\3115\16\275\22\260\257%\270\246/\246z\255\230rcV\234\1\235\10\275\377\261\240\251y\2076\243\3\212\2502\362\24`o\220vm!\10\367}c\257\242O2\305n\240z\312\313.\337c@\2003n\3d\256\26\264\244\26\342\227\146\3770V\243nZ$\252X\205D3\310T\337\261\236\255\24e\345\224Z5\351\266\376[mx\303}\300\31B\10z\27bz\202m\311\15\211A\243\2251V'9>l\353\216\257A|XtN"t7Ykk&M\365\323"\230\363\336G\223,\307\260#\336\311w\204i!\350]r\302\33}\17\326\272\214\207|pM~\315-\372n\16\210YA\342\375\273C@`\363\353\332\367C\247\276\331\316\3006(>\254\365\371z\234j` \10x U\325bg@\334\271P<\370\362\333\266+\20\372\322\314}\266Sd\330\12\26\214\245K\252\300\365\105", ) , ) == 0x0
 00510  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00511  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00512  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 48, ) }, ... 48, ) == 0x0
 00513  1744   NtQueryValueKey  (48,  (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (48, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00514  1744   NtClose  (48, ... ) == 0x0
 00515  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Ole"}, ... 48, ) }, ... 48, ) == 0x0
 00516  1744   NtQueryValueKey  (48,  (48, "RWLockResourceTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517  1744   NtClose  (48, ... ) == 0x0
 00518  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00521  1744   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00522  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 48, ) }, ... 48, ) == 0x0
 00523  1744   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524  1744   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00525  1744   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00526  1744   NtClose  (48, ... ) == 0x0
 00527  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 48, ) }, ... 48, ) == 0x0
 00528  1744   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00529  1744   NtQueryValueKey  (48,  (48, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00530  1744   NtClose  (48, ... ) == 0x0
 00531  1744   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 48, ) }, ... 48, ) == 0x0
 00532  1744   NtOpenEvent  (0x1f0003, {24, 48, 0x0, 0, 0,  (0x1f0003, {24, 48, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533  1744   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc077
 00534  1744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00535  1744   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00536  1744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00537  1744   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00538  1744   NtCreateSemaphore  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 52, ) }, 0, 2147483647, ... 52, ) == STATUS_OBJECT_NAME_EXISTS
 00539  1744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 56, ) }, ... 56, ) == 0x0
 00540  1744   NtQueryValueKey  (56,  (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00541  1744   NtClose  (56, ... ) == 0x0
 00542  1744   NtQueryDefaultUILanguage  (1241692, ...
 00543  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00544  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00545  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00546  1744   NtClose  (-2147482576, ... ) == 0x0
 00547  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00548  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00550  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00551  1744   NtClose  (-2147481400, ... ) == 0x0
 00552  1744   NtClose  (-2147482576, ... ) == 0x0
 00542  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00553  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00554  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 60, ) == 0x0
 00555  1744   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x920000), 0x0, 8462336, ) == 0x0
 00556  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00557  1744   NtQueryDefaultLocale  (1, 1239788, ... ) == 0x0
 00558  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00559  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75481, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75481, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1240824, 1179817, 1240548} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75481, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6$\18\0\0\0\377\377\377\377\0\0\0\0@ \265\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6$\1\0\0\0\0\0\0\0\0\354\362\22\0\0\0\0\0" )  ) == 0x0
 00560  1744   NtClose  (56, ... ) == 0x0
 00561  1744   NtClose  (60, ... ) == 0x0
 00562  1744   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00563  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00564  1744   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00565  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00566  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00567  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238980, ... ) }, 1238980, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00568  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00569  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00570  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00571  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 1239044, ... ) }, 1239044, ... ) == 0x0
 00572  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03"}, 3, 33, ... 60, {status=0x0, info=1}, ) }, 3, 33, ... 60, {status=0x0, info=1}, ) == 0x0
 00573  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00574  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00575  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00576  1744   NtClose  (56, ... ) == 0x0
 00577  1744   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x920000), 0x0, 1056768, ) == 0x0
 00578  1744   NtClose  (64, ... ) == 0x0
 00579  1744   NtUnmapViewOfSection  (-1, 0x920000, ... ) == 0x0
 00580  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00581  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 56, ) == 0x0
 00582  1744   NtQuerySection  (56, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00583  1744   NtClose  (64, ... ) == 0x0
 00584  1744   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 1060864, ) == 0x0
 00585  1744   NtClose  (56, ... ) == 0x0
 00586  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00587  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00588  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00589  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00590  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00591  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00592  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00593  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00594  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00595  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00596  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00597  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00598  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00599  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00600  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00601  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00602  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00603  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00604  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 1924, 4, ... (0x773d1000), 4096, 32, ) == 0x0
 00605  1744   NtProtectVirtualMemory  (-1, (0x773d1000), 4096, 32, ... (0x773d1000), 4096, 4, ) == 0x0
 00606  1744   NtFlushInstructionCache  (-1, 2000490496, 1924, ... ) == 0x0
 00607  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608  1744   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240524, ... ) , 42, 1240524, ... ) == 0x0
 00609  1744   NtQueryDefaultUILanguage  (1239208, ...
 00610  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00611  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00612  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00613  1744   NtClose  (-2147482576, ... ) == 0x0
 00614  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00615  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00616  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00617  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00618  1744   NtClose  (-2147481400, ... ) == 0x0
 00619  1744   NtClose  (-2147482576, ... ) == 0x0
 00609  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00620  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238048, ... ) }, 1238048, ... ) == 0x0
 00621  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 56, {status=0x0, info=1}, ) }, 5, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00622  1744   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 56, ... 64, ) == 0x0
 00623  1744   NtClose  (56, ... ) == 0x0
 00624  1744   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3f0000), 0x0, 4096, ) == 0x0
 00625  1744   NtClose  (64, ... ) == 0x0
 00626  1744   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00627  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237644, ... ) }, 1237644, ... ) == 0x0
 00628  1744   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238388,  (0x80100080, {24, 0, 0x40, 0, 1238388, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 64, {status=0x0, info=1}, ) == 0x0
 00629  1744   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00630  1744   NtClose  (64, ... ) == 0x0
 00631  1744   NtMapViewOfSection  (56, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3f0000), {0, 0}, 4096, ) == 0x0
 00632  1744   NtClose  (56, ... ) == 0x0
 00633  1744   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00634  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 56, {status=0x0, info=1}, ) }, 1, 96, ... 56, {status=0x0, info=1}, ) == 0x0
 00635  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 56, ... 64, ) == 0x0
 00636  1744   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x3f0000), 0x0, 4096, ) == 0x0
 00637  1744   NtQueryInformationFile  (56, 1238040, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00638  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75482, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75482, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238340, 1179817, 1238064} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75482, 0} "\260d\27\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6$\18\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6$\1\0\0\0\0\0\0\0\08\351\22\0\0\0\0\0" )  ) == 0x0
 00640  1744   NtClose  (56, ... ) == 0x0
 00641  1744   NtClose  (64, ... ) == 0x0
 00642  1744   NtUnmapViewOfSection  (-1, 0x3f0000, ... ) == 0x0
 00643  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00644  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00645  1744   NtUserSystemParametersInfo  (104, 0, 2001084812, 0, ... ) == 0x1
 00646  1744   NtUserGetDC  (0, ... ) == 0x1010053
 00647  1744   NtUserCallOneParam  (16842835, 57, ... ) == 0x1
 00648  1744   NtUserSystemParametersInfo  (38, 4, 2001086940, 0, ... ) == 0x1
 00649  1744   NtUserSystemParametersInfo  (66, 12, 1240040, 0, ... ) == 0x1
 00650  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00651  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00652  1744   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00653  1744   NtClose  (64, ... ) == 0x0
 00654  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 64, ) }, ... 64, ) == 0x0
 00655  1744   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00656  1744   NtAccessCheck  (1338872, 56, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00657  1744   NtClose  (56, ... ) == 0x0
 00658  1744   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "Control Panel\Desktop"}, ... 56, ) }, ... 56, ) == 0x0
 00659  1744   NtQueryValueKey  (56,  (56, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00660  1744   NtClose  (56, ... ) == 0x0
 00661  1744   NtUserSystemParametersInfo  (41, 500, 1240068, 0, ... ) == 0x1
 00662  1744   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00663  1744   NtAccessCheck  (1338872, 56, 0x1, 1239872, 1239924, 56, 1239904, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664  1744   NtClose  (56, ... ) == 0x0
 00665  1744   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 56, ) }, ... 56, ) == 0x0
 00666  1744   NtQueryValueKey  (56,  (56, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667  1744   NtClose  (56, ... ) == 0x0
 00668  1744   NtUserSystemParametersInfo  (27, 0, 2001085788, 0, ... ) == 0x1
 00669  1744   NtUserSystemParametersInfo  (102, 0, 2001086828, 0, ... ) == 0x1
 00670  1744   NtClose  (64, ... ) == 0x0
 00671  1744   NtUserSystemParametersInfo  (4130, 0, 1240572, 0, ... ) == 0x1
 00672  1744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 64, ) }, ... 64, ) == 0x0
 00673  1744   NtEnumerateValueKey  (64, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00674  1744   NtClose  (64, ... ) == 0x0
 00675  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00676  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c03b
 00677  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c03d
 00678  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00679  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c03f
 00680  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00681  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c041
 00682  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00683  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c043
 00684  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c045
 00685  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00686  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c047
 00687  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00688  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c049
 00689  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00690  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c04b
 00691  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00692  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c04d
 00693  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00694  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c04f
 00695  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c051
 00696  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00697  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c053
 00698  1744   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00699  1744   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8172c055
 00700  1744   NtUserFindExistingCursorIcon  (1239816, 1239832, 1239880, ... ) == 0x10011
 00701  1744   NtUserRegisterClassExWOW  (1239760, 1239828, 1239844, 1239860, 0, 384, 0, ... ) == 0x8172c057
 00702  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00703  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c059
 00704  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00705  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c05b
 00706  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00707  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c05d
 00708  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00709  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c05f
 00710  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00711  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c017
 00712  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00713  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c019
 00714  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10013
 00715  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c018
 00716  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00717  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c01a
 00718  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00719  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c01c
 00720  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00721  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c01e
 00722  1744   NtUserFindExistingCursorIcon  (1239812, 1239828, 1239876, ... ) == 0x10011
 00723  1744   NtUserRegisterClassExWOW  (1239812, 1239880, 1239896, 1239912, 0, 384, 0, ... ) == 0x8172c01b
 00724  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00725  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c068
 00726  1744   NtUserFindExistingCursorIcon  (1239820, 1239836, 1239884, ... ) == 0x10011
 00727  1744   NtUserRegisterClassExWOW  (1239764, 1239832, 1239848, 1239864, 0, 384, 0, ... ) == 0x8172c06a
 00728  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 64, ) }, ... 64, ) == 0x0
 00729  1744   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5d090000), 0x0, 630784, ) == 0x0
 00730  1744   NtClose  (64, ... ) == 0x0
 00731  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00732  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00733  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00734  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00735  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00736  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00737  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00738  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00739  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00740  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00741  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00742  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00743  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 1656, 4, ... (0x5d091000), 4096, 32, ) == 0x0
 00744  1744   NtProtectVirtualMemory  (-1, (0x5d091000), 4096, 32, ... (0x5d091000), 4096, 4, ) == 0x0
 00745  1744   NtFlushInstructionCache  (-1, 1560875008, 1656, ... ) == 0x0
 00746  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00748  1744   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4128768, 65536, ) == 0x0
 00749  1744   NtAllocateVirtualMemory  (-1, 4128768, 0, 4096, 4096, 4, ... 4128768, 4096, ) == 0x0
 00750  1744   NtAllocateVirtualMemory  (-1, 4132864, 0, 8192, 4096, 4, ... 4132864, 8192, ) == 0x0
 00751  1744   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00752  1744   NtAllocateVirtualMemory  (-1, 4141056, 0, 4096, 4096, 4, ... 4141056, 4096, ) == 0x0
 00753  1744   NtAllocateVirtualMemory  (-1, 4145152, 0, 4096, 4096, 4, ... 4145152, 4096, ) == 0x0
 00754  1744   NtQueryDefaultUILanguage  (1239820, ...
 00755  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00756  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482576, ) == 0x0
 00757  1744   NtQueryInformationToken  (-2147482576, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00758  1744   NtClose  (-2147482576, ... ) == 0x0
 00759  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... -2147482576, ) }, ... -2147482576, ) == 0x0
 00760  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x240, 0, 0,  (0x80000000, {24, -2147482576, 0x240, 0, 0, "Software\Policies\Microsoft\Control Panel\Desktop"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761  1744   NtOpenKey  (0x80000000, {24, -2147482576, 0x640, 0, 0,  (0x80000000, {24, -2147482576, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147481400, ) }, ... -2147481400, ) == 0x0
 00762  1744   NtQueryValueKey  (-2147481400,  (-2147481400, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763  1744   NtClose  (-2147481400, ... ) == 0x0
 00764  1744   NtClose  (-2147482576, ... ) == 0x0
 00754  1744   NtQueryDefaultUILanguage  ... ) == 0x0
 00765  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll"}, 1, 96, ... 64, {status=0x0, info=1}, ) }, 1, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00766  1744   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 64, ... 56, ) == 0x0
 00767  1744   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x930000), 0x0, 618496, ) == 0x0
 00768  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769  1744   NtQueryDefaultLocale  (1, 1237916, ... ) == 0x0
 00770  1744   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\comctl32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00771  1744   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75483, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 1736, 1744, 75483, 0}  (24, {128, 156, new_msg, 0, 2088850039, 1238952, 1179817, 1238676} "\210\6$\1\33\0\1\0`\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 1736, 1744, 75483, 0} "\300\270\26\0\33\0\1\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\11\4\1\1\1\0@\0D\0\250\6$\1@\0\0\0\377\377\377\377\0\0\0\0\340q\232\0\0\0\0\0k\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\354\6$\1\0\0\0\0\0\0\0\0\234\353\22\0\0\0\0\0" )  ) == 0x0
 00772  1744   NtClose  (64, ... ) == 0x0
 00773  1744   NtClose  (56, ... ) == 0x0
 00774  1744   NtUnmapViewOfSection  (-1, 0x930000, ... ) == 0x0
 00775  1744   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00776  1744   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {1736, 0}, ... 56, ) == 0x0
 00777  1744   NtQueryInformationProcess  (56, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00778  1744   NtClose  (56, ... ) == 0x0
 00779  1744   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00780  1744   NtUserSystemParametersInfo  (104, 0, 1561338260, 0, ... ) == 0x1
 00781  1744   NtUserSystemParametersInfo  (38, 4, 1561337988, 0, ... ) == 0x1
 00782  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00783  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 56, ) == 0x0
 00784  1744   NtQueryInformationToken  (56, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00785  1744   NtClose  (56, ... ) == 0x0
 00786  1744   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 56, ) }, ... 56, ) == 0x0
 00787  1744   NtOpenProcessToken  (-1, 0x8, ... 64, ) == 0x0
 00788  1744   NtAccessCheck  (1338872, 64, 0x1, 1241012, 1241064, 56, 1241044, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00789  1744   NtClose  (64, ... ) == 0x0
 00790  1744   NtOpenKey  (0x20019, {24, 56, 0x40, 0, 0,  (0x20019, {24, 56, 0x40, 0, 0, "Control Panel\Desktop"}, ... 64, ) }, ... 64, ) == 0x0
 00791  1744   NtQueryValueKey  (64,  (64, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00792  1744   NtClose  (64, ... ) == 0x0
 00793  1744   NtUserSystemParametersInfo  (41, 500, 1241192, 0, ... ) == 0x1
 00794  1744   NtUserSystemParametersInfo  (102, 0, 1561338280, 0, ... ) == 0x1
 00795  1744   NtClose  (56, ... ) == 0x0
 00796  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00797  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c03b
 00798  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c03d
 00799  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00800  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c03f
 00801  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00802  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c041
 00803  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00804  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c043
 00805  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c045
 00806  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00807  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c047
 00808  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00809  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c049
 00810  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00811  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c04b
 00812  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00813  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c04d
 00814  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00815  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c04f
 00816  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c051
 00817  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00818  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c053
 00819  1744   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00820  1744   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8172c055
 00821  1744   NtUserFindExistingCursorIcon  (1240940, 1240956, 1241004, ... ) == 0x10011
 00822  1744   NtUserRegisterClassExWOW  (1240884, 1240952, 1240968, 1240984, 0, 384, 0, ... ) == 0x8172c057
 00823  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00824  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c059
 00825  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10013
 00826  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c05b
 00827  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00828  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c05d
 00829  1744   NtUserFindExistingCursorIcon  (1240944, 1240960, 1241008, ... ) == 0x10011
 00830  1744   NtUserRegisterClassExWOW  (1240888, 1240956, 1240972, 1240988, 0, 384, 0, ... ) == 0x8172c05f
 00831  1744   NtTestAlert  (... ) == 0x0
 00832  1744   NtContinue  (1244464, 1, ...
 00833  1744   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x43e66d,}, 4, ... ) == 0x0
 00834  1744   NtProtectVirtualMemory  (-1, (0x420000), 4096, 4, ... (0x420000), 4096, 2, ) == 0x0
 00835  1744   NtProtectVirtualMemory  (-1, (0x420000), 4096, 2, ... (0x420000), 4096, 4, ) == 0x0
 00836  1744   NtAllocateVirtualMemory  (-1, 3297280, 0, 8192, 4096, 4, ... 3297280, 8192, ) == 0x0
 00837  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00838  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00839  1744   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00840  1744   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00841  1744   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 00842  1744   NtAllocateVirtualMemory  (-1, 1216512, 0, 4096, 4096, 260, ... 1216512, 4096, ) == 0x0
 00843  1744   NtAllocateVirtualMemory  (-1, 1212416, 0, 4096, 4096, 260, ... 1212416, 4096, ) == 0x0
 00844  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00845  1744   NtAllocateVirtualMemory  (-1, 1208320, 0, 4096, 4096, 260, ... 1208320, 4096, ) == 0x0
 00846  1744   NtAllocateVirtualMemory  (-1, 1204224, 0, 4096, 4096, 260, ... 1204224, 4096, ) == 0x0
 00847  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00848  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00849  1744   NtDelayExecution  (0, {0, 0}, ... ) == 0x0
 00850  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00851  1744   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00852  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 56, {status=0x0, info=1}, ) }, 3, 16417, ... 56, {status=0x0, info=1}, ) == 0x0
 00853  1744   NtQueryInformationFile  (56, 1242368, 528, Name, ... {status=0x0, info=6}, ) == 0x0
 00854  1744   NtQueryVolumeInformationFile  (56, 1340616, 284, Volume, ... {status=0x0, info=18}, ) == 0x0
 00855  1744   NtClose  (56, ... ) == 0x0
 00856  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00857  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00858  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00859  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00860  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00861  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00862  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00863  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00864  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00865  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00866  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00867  1744   NtDelayExecution  (0, {-70000, -1}, ... ) == 0x0
 00868  1744   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00869  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00870  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00871  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00872  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System\CentralProcessor\0"}, ... 56, ) }, ... 56, ) == 0x0
 00873  1744   NtQueryValueKey  (56,  (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) }, 16, ) == 0x0
 00874  1744   NtClose  (56, ... ) == 0x0
 00875  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System\CentralProcessor\0"}, ... 56, ) }, ... 56, ) == 0x0
 00876  1744   NtQueryValueKey  (56,  (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (56, "~Mhz", Partial, 144, ... TitleIdx=0, Type=4, Data="\177\14\0\0"}, 16, ) }, 16, ) == 0x0
 00877  1744   NtClose  (56, ... ) == 0x0
 00878  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00879  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00880  1744   NtDelayExecution  (0, {-20000, -1}, ... ) == 0x0
 00881  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00882  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00883  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00884  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00885  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00886  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00887  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00888  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00889  1744   NtClose  (56, ... ) == 0x0
 00890  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00891  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00892  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00893  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00894  1744   NtQueryValueKey  (56,  (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (56, "SystemBiosDate", Partial, 144, ... TitleIdx=0, Type=1, Data="0\04\0/\01\07\0/\00\06\0\0\0"}, 30, ) }, 30, ) == 0x0
 00895  1744   NtClose  (56, ... ) == 0x0
 00896  1744   NtDelayExecution  (0, {-350000, -1}, ... ) == 0x0
 00897  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00898  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00899  1744   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900  1744   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00901  1744   NtClose  (56, ... ) == 0x0
 00902  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "HARDWARE\DESCRIPTION\System"}, ... 56, ) }, ... 56, ) == 0x0
 00903  1744   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904  1744   NtQueryValueKey  (56,  (56, "VideoBiosDate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1744   NtClose  (56, ... ) == 0x0
 00906  1744   NtQueryVirtualMemory  (-1, 0x7c80be30, Basic, 28, ... {BaseAddress=0x7c80b000,AllocationBase=0x7c800000,AllocationProtect=0x80,RegionSize=0x79000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00907  1744   NtContinue  (1241384, 0, ...
 00908  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00909  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00910  1744   NtOpenProcessToken  (-1, 0x8, ... 56, ) == 0x0
 00911  1744   NtQueryInformationToken  (56, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00912  1744   NtClose  (56, ... ) == 0x0
 00913  1744   NtDelayExecution  (0, {-390000, -1}, ... ) == 0x0
 00914  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00915  1744   NtDelayExecution  (0, {-10000, -1}, ... ) == 0x0
 00916  1744   NtDelayExecution  (0, {-380000, -1}, ... ) == 0x0
 00917  1744   NtDelayExecution  (0, {-380000, -1}, ... ) == 0x0
 00918  1744   NtDelayExecution  (0, {-390000, -1}, ... ) == 0x0
 00919  1744   NtAllocateVirtualMemory  (-1, 3305472, 0, 12288, 4096, 4, ... 3305472, 12288, ) == 0x0
 00920  1744   NtCreateMutant  (0x1f0001, {24, 48, 0x80, 0, 0,  (0x1f0001, {24, 48, 0x80, 0, 0, "398815EBC0F6501A36863825758F0CE3C6832B0F329F39516FF917E3C2832212339B385673B416E0"}, 0, ... 56, ) }, 0, ... 56, ) == 0x0
 00921  1744   NtDelayExecution  (0, {-390000, -1}, ... ) == 0x0
 00922  1744   NtDelayExecution  (0, {-320000, -1}, ... ) == 0x0
 00923  1744   NtDelayExecution  (0, {-33060000, -1}, ... ) == 0x0
 00924  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00925  1744   NtAllocateVirtualMemory  (-1, 1200128, 0, 4096, 4096, 260, ... 1200128, 4096, ) == 0x0
 00926  1744   NtAllocateVirtualMemory  (-1, 1196032, 0, 4096, 4096, 260, ... 1196032, 4096, ) == 0x0
 00927  1744   NtAllocateVirtualMemory  (-1, 1191936, 0, 4096, 4096, 260, ... 1191936, 4096, ) == 0x0
 00928  1744   NtAllocateVirtualMemory  (-1, 1187840, 0, 4096, 4096, 260, ... 1187840, 4096, ) == 0x0
 00929  1744   NtAllocateVirtualMemory  (-1, 1183744, 0, 4096, 4096, 260, ... 1183744, 4096, ) == 0x0
 00930  1744   NtAllocateVirtualMemory  (-1, 1179648, 0, 4096, 4096, 260, ... 1179648, 4096, ) == 0x0
 00931  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 00932  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00933  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00934  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00935  1744   NtDelayExecution  (0, {-350000, -1}, ... ) == 0x0
 00936  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00937  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00938  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00939  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00940  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00941  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00942  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 64, ) }, ... 64, ) == 0x0
 00943  1744   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1744   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1744   NtClose  (64, ... ) == 0x0
 00946  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 64, ) }, ... 64, ) == 0x0
 00947  1744   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00948  1744   NtQueryValueKey  (64,  (64, "runner1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00949  1744   NtClose  (64, ... ) == 0x0
 00950  1744   NtCreateKey  (0x20006, {24, 28, 0x40, 0, 0,  (0x20006, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, "", 0, ... 64, 2, ) }, 0, "", 0, ... 64, 2, ) == 0x0
 00951  1744   NtSetValueKey  (64,  (64, "runner1", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0r\0o\0f\0i\0n\0u\0.\0e\0x\0e\0 \0\0\0", 48, ... , 0, 1,  (64, "runner1", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0m\0r\0o\0f\0i\0n\0u\0.\0e\0x\0e\0 \0\0\0", 48, ... , 48, ...
 00952  1744   NtSetInformationFile  (-2147482448, -134731984, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00953  1744   NtSetInformationFile  (-2147482448, -134732020, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00954  1744   NtSetInformationFile  (-2147482448, -134732076, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00955  1744   NtSetInformationFile  (-2147482448, -134732384, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00951  1744   NtSetValueKey  ... ) == 0x0
 00956  1744   NtClose  (64, ... ) == 0x0
 00957  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00958  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 00959  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 00960  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00961  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 64, ) == 0x0
 00962  1744   NtQueryInformationToken  (64, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00963  1744   NtClose  (64, ... ) == 0x0
 00964  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes"}, ... 64, ) }, ... 64, ) == 0x0
 00965  1744   NtSetInformationObject  (66, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00966  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00967  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00970  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00971  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00972  1744   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 00973  1744   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00974  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 68, ) }, ... 68, ) == 0x0
 00975  1744   NtCreateKey  (0x20006, {24, 68, 0x40, 0, 0,  (0x20006, {24, 68, 0x40, 0, 0, "WR"}, 0, "", 0, ... }, 0, "", 0, ...
 00976  1744   NtSetInformationFile  (-2147482448, -134733068, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00977  1744   NtSetInformationFile  (-2147482448, -134732888, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00978  1744   NtSetInformationFile  (-2147482448, -134732880, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00975  1744   NtCreateKey  ... 72, 1, ) == 0x0
 00979  1744   NtClose  (68, ... ) == 0x0
 00980  1744   NtQueryKey  (74, Name, 392, ... {Name= (74, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 00981  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00982  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 00983  1744   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00984  1744   NtClose  (68, ... ) == 0x0
 00985  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986  1744   NtSetValueKey  (74,  (74, "cmd", 0, 1, "\0\0", 2, ... ) , 0, 1,  (74, "cmd", 0, 1, "\0\0", 2, ... ) , 2, ... ) == 0x0
 00987  1744   NtClose  (74, ... ) == 0x0
 00988  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00989  1744   NtQueryDirectoryFile  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1,  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1, "mrofinu.exe.tmp", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00990  1744   NtClose  (72, ... ) == 0x0
 00991  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00992  1744   NtQueryDirectoryFile  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1,  (72, 0, 0, 0, 1243096, 616, BothDirectory, 1, "mrofinu.exe", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00993  1744   NtClose  (72, ... ) == 0x0
 00994  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 72, {status=0x0, info=1}, ) }, 3, 16417, ... 72, {status=0x0, info=1}, ) == 0x0
 00995  1744   NtQueryDirectoryFile  (72, 0, 0, 0, 1242512, 616, BothDirectory, 1,  (72, 0, 0, 0, 1242512, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 00996  1744   NtClose  (72, ... ) == 0x0
 00997  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00998  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 72, ) == 0x0
 00999  1744   NtQueryInformationToken  (72, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01000  1744   NtClose  (72, ... ) == 0x0
 01001  1744   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 72, ) }, ... 72, ) == 0x0
 01002  1744   NtSetInformationObject  (72, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01003  1744   NtOpenKey  (0x1, {24, 72, 0x40, 0, 0,  (0x1, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 68, ) }, ... 68, ) == 0x0
 01004  1744   NtQueryValueKey  (68,  (68, "NoFileFolderConnection", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01005  1744   NtClose  (68, ... ) == 0x0
 01006  1744   NtSetThreadExecutionState  (-2147483647, 1244004, ... ) == 0x0
 01007  1744   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01008  1744   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "ShellCopyEngineRunning"}, 0, 0, ... 68, ) }, 0, 0, ... 68, ) == 0x0
 01009  1744   NtSetEvent  (68, ... 0x0, ) == 0x0
 01010  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\U:\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01011  1744   NtQueryDirectoryFile  (76, 0, 0, 0, 1238540, 616, BothDirectory, 1,  (76, 0, 0, 0, 1238540, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=100}, ) , 0, ... {status=0x0, info=100}, ) == 0x0
 01012  1744   NtClose  (76, ... ) == 0x0
 01013  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\u:\work\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01014  1744   NtQueryDirectoryFile  (76, 0, 0, 0, 1240288, 616, BothDirectory, 1,  (76, 0, 0, 0, 1240288, 616, BothDirectory, 1, "packed.exe", 0, ... {status=0x0, info=120}, ) , 0, ... {status=0x0, info=120}, ) == 0x0
 01015  1744   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 01016  1744   NtQueryDirectoryFile  (76, 0, 0, 0, 1346120, 4096, BothDirectory, 0, 0x0, 0, ... ) == STATUS_NO_MORE_FILES
 01017  1744   NtClose  (76, ... ) == 0x0
 01018  1744   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 76, {status=0x0, info=1}, ) }, 3, 16417, ... 76, {status=0x0, info=1}, ) == 0x0
 01019  1744   NtQueryDirectoryFile  (76, 0, 0, 0, 1239128, 616, BothDirectory, 1,  (76, 0, 0, 0, 1239128, 616, BothDirectory, 1, "*", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01020  1744   NtClose  (76, ... ) == 0x0
 01021  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01022  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01023  1744   NtOpenEvent  (0x100000, {24, 48, 0x0, 0, 0,  (0x100000, {24, 48, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01024  1744   NtUserQueryWindow  (65670, 0, ... ) == 0x6b8
 01025  1744   NtUserQueryWindow  (65670, 1, ... ) == 0x6bc
 01026  1744   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01027  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1238040, ... ) }, 1238040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01028  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 1238040, ... ) }, 1238040, ... ) == 0x0
 01029  1744   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SETUPAPI.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 01030  1744   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 80, ) == 0x0
 01031  1744   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01032  1744   NtClose  (76, ... ) == 0x0
 01033  1744   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77920000), 0x0, 995328, ) == 0x0
 01034  1744   NtClose  (80, ... ) == 0x0
 01035  1744   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01036  1744   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01037  1744   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01038  1744   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01039  1744   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01040  1744   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01041  1744   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01042  1744   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01043  1744   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01044  1744   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01045  1744   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01046  1744   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01047  1744   NtProtectVirtualMemory  (-1, (0x77921000), 1368, 4, ... (0x77921000), 4096, 32, ) == 0x0
 01048  1744   NtProtectVirtualMemory  (-1, (0x77921000), 4096, 32, ... (0x77921000), 4096, 4, ) == 0x0
 01049  1744   NtFlushInstructionCache  (-1, 2006061056, 1368, ... ) == 0x0
 01050  1744   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01051  1744   NtQueryDefaultLocale  (1, 1237944, ... ) == 0x0
 01052  1744   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01053  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01054  1744   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055  1744   NtClose  (80, ... ) == 0x0
 01056  1744   NtUserGetProcessWindowStation  (... ) == 0x10
 01057  1744   NtUserGetObjectInformation  (16, 1, 1237540, 12, 1237552, ... ) == 0x1
 01058  1744   NtOpenKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\MiniNT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01059  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\WPA\PnP"}, ... 80, ) }, ... 80, ) == 0x0
 01060  1744   NtQueryValueKey  (80,  (80, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\240d\351\211"}, 16, ) }, 16, ) == 0x0
 01061  1744   NtClose  (80, ... ) == 0x0
 01062  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01063  1744   NtQueryValueKey  (80,  (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01064  1744   NtQueryValueKey  (80,  (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01065  1744   NtClose  (80, ... ) == 0x0
 01066  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01067  1744   NtQueryValueKey  (80,  (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01068  1744   NtQueryValueKey  (80,  (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01069  1744   NtClose  (80, ... ) == 0x0
 01070  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01071  1744   NtQueryValueKey  (80,  (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01072  1744   NtQueryValueKey  (80,  (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01073  1744   NtClose  (80, ... ) == 0x0
 01074  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01075  1744   NtQueryValueKey  (80,  (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01076  1744   NtQueryValueKey  (80,  (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01077  1744   NtClose  (80, ... ) == 0x0
 01078  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01079  1744   NtQueryValueKey  (80,  (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01080  1744   NtQueryValueKey  (80,  (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (80, "ServicePackCachePath", Partial, 144, ... TitleIdx=0, Type=1, Data="c\0:\0\\0w\0i\0n\0d\0o\0w\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0F\0i\0l\0e\0s\0\\0S\0e\0r\0v\0i\0c\0e\0P\0a\0c\0k\0C\0a\0c\0h\0e\0\0\0"}, 102, ) }, 102, ) == 0x0
 01081  1744   NtClose  (80, ... ) == 0x0
 01082  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 01083  1744   NtQueryValueKey  (80,  (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01084  1744   NtQueryValueKey  (80,  (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (80, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01085  1744   NtClose  (80, ... ) == 0x0
 01086  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 80, ) }, ... 80, ) == 0x0
 01087  1744   NtQueryValueKey  (80,  (80, "DevicePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01088  1744   NtQueryValueKey  (80,  (80, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) , Partial, 346, ... TitleIdx=0, Type=2, Data= (80, "DevicePath", Partial, 346, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0c\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\0a\0r\0i\0c\0h\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0c\0e\0r\0c\0s\0r\06\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0a\03\02\00\0r\0a\0i\0d\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0i\0a\0s\0t\0o\0r\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0d\0e\0l\0l\0\\0n\0v\0r\0a\0i\0d\0\0\0"}, 346, ) }, 346, ) == 0x0
 01089  1744   NtClose  (80, ... ) == 0x0
 01090  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 01091  1744   NtCreateMutant  (0x1f0001, 0x0, 0, ... 76, ) == 0x0
 01092  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 01093  1744   NtCreateMutant  (0x1f0001, 0x0, 0, ... 88, ) == 0x0
 01094  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 92, ) == 0x0
 01095  1744   NtCreateMutant  (0x1f0001, 0x0, 0, ... 96, ) == 0x0
 01096  1744   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 100, ) }, ... 100, ) == 0x0
 01097  1744   NtQueryValueKey  (100,  (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01098  1744   NtQueryValueKey  (100,  (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (100, "LogLevel", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099  1744   NtQueryValueKey  (100,  (100, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100  1744   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01101  1744   NtClose  (100, ... ) == 0x0
 01102  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 01103  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 100, ) }, ... 100, ) == 0x0
 01104  1744   NtQueryValueKey  (100,  (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (100, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01105  1744   NtClose  (100, ... ) == 0x0
 01106  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 01107  1744   NtQueryValueKey  (100,  (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) , Data= (100, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 52, ) }, 52, ) == 0x0
 01108  1744   NtClose  (100, ... ) == 0x0
 01109  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 100, ) }, ... 100, ) == 0x0
 01111  1744   NtQueryValueKey  (100,  (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (100, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01112  1744   NtClose  (100, ... ) == 0x0
 01113  1744   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01114  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01115  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 100, ) }, ... 100, ) == 0x0
 01116  1744   NtQueryValueKey  (100,  (100, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01117  1744   NtClose  (100, ... ) == 0x0
 01118  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01119  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 100, ) == 0x0
 01120  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 104, ) == 0x0
 01121  1744   NtQuerySystemTime  (... {-1481559686, 29927090}, ) == 0x0
 01122  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 108, ) == 0x0
 01123  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01125  1744   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01126  1744   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01127  1744   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 01128  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 116, ) == 0x0
 01129  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 120, ) }, ... 120, ) == 0x0
 01130  1744   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "ActiveComputerName"}, ... 124, ) }, ... 124, ) == 0x0
 01131  1744   NtQueryValueKey  (124,  (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= (124, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01132  1744   NtClose  (124, ... ) == 0x0
 01133  1744   NtClose  (120, ... ) == 0x0
 01134  1744   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 120, ) == 0x0
 01135  1744   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 124, ) == 0x0
 01136  1744   NtDuplicateObject  (-1, 120, -1, 0x0, 0, 2, ... 128, ) == 0x0
 01137  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01138  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01139  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01140  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01141  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238296,  (0xc0100080, {24, 0, 0x40, 0, 1238296, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01142  1744   NtSetInformationFile  (136, 1238352, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01143  1744   NtSetInformationFile  (136, 1238340, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01144  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01145  1744   NtWriteFile  (136, 113, 0, 0,  (136, 113, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01146  1744   NtReadFile  (136, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (136, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01147  1744   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20N+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01148  1744   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340*\0,\0\374\217\222w\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340*\0,\0\374\217\222w\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340\0\0\0\0", ) , ) == 0x103
 01149  1744   NtFsControlFile  (136, 113, 0x0, 0x0, 0x11c017,  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (136, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0&H/\254b\363\222I\243j\304#\242z\321\340", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01150  1744   NtClose  (132, ... ) == 0x0
 01151  1744   NtClose  (136, ... ) == 0x0
 01152  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01153  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 136, ) == 0x0
 01154  1744   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01155  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01156  1744   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238296,  (0xc0100080, {24, 0, 0x40, 0, 1238296, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 01157  1744   NtSetInformationFile  (132, 1238352, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01158  1744   NtSetInformationFile  (132, 1238340, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01159  1744   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01160  1744   NtWriteFile  (132, 113, 0, 0,  (132, 113, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01161  1744   NtReadFile  (132, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (132, 113, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01162  1744   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20O+\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01163  1744   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\210oap\245}d@\240\5u8poe8"\0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) \0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\210oap\245}d@\240\5u8poe8"\0$\0\0\217\222w\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8\0\0\0\0", ) == 0x103
 01164  1744   NtFsControlFile  (132, 113, 0x0, 0x0, 0x11c017,  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (132, 113, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\210oap\245}d@\240\5u8poe8", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01165  1744   NtClose  (136, ... ) == 0x0
 01166  1744   NtClose  (132, ... ) == 0x0
 01167  1744   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01168  1744   NtOpenProcessToken  (-1, 0x20, ... 132, ) == 0x0
 01169  1744   NtAdjustPrivilegesToken  (132, 0, 1351864, 0, 0, 0, ... ) == 0x0
 01170  1744   NtClose  (132, ... ) == 0x0
 01171  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\333Wm\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01172  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01173  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01174  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01175  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01176  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01177  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01178  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01179  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01180  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\233\300C\350\3455\336c^\355\301\241\236\11p\312\36H\230\342\333\24)E[\31\201\277\21\354\330\244\305]\342\367\237SZ\315\213\326\205x\363\226\2725x\273\263\2760\351\24\15\330\251\322\2365\326+24\234_LA2\361l\204\243\220\325V\226\337\3", 80, ... , 0, 3,  (-2147482128, "Seed", 0, 3, "\233\300C\350\3455\336c^\355\301\241\236\11p\312\36H\230\342\333\24)E[\31\201\277\21\354\330\244\305]\342\367\237SZ\315\213\326\205x\363\226\2725x\273\263\2760\351\24\15\330\251\322\2365\326+24\234_LA2\361l\204\243\220\325V\226\337\3", 80, ... , 80, ...
 01181  1744   NtSetInformationFile  (-2147482448, -134734244, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01182  1744   NtSetInformationFile  (-2147482448, -134734312, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01180  1744   NtSetValueKey  ... ) == 0x0
 01183  1744   NtClose  (-2147482128, ... ) == 0x0
 01171  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\204\252\207\363\\311a\350\262^\375\370\251\213\367\327\255\6`t\360\352>e\245;mO\375F\232\352T\33\275\352Hy\17HgD\225\34m\332\330\276*}\2710\2\234\202\257R\276\326\206\254\16\2\31Yv\275\267^\307(Q6wp\256_5q\227\&+W8\236\312l\1\267\214\206i{m\310\357By\374\0mi>`\343Ag\363\322.\265Y3\230\250\200xj\232\10u\357\242\34v\1\367\322z\366\255\262\20\334EA\241\315^4+\317d\316\276\11\16\255p\345\253"\310p:\333\265\4&\260)\12s\273\346b\355\204\327\312\37\226I`&"\301\304\207\3672"\11\177X*.e\225\206\351\215\315\216\220\12W2M\3'g\376\344:\32\234Y\26\260\265\371,\22\3068.\3051\226\341/\326\273\302fW\245\20\245s\352\35\13\20\345\253E\302\307\374\376\337\321Dx\2467E\357\302C7n", ) \310p:\333\265\4&\260)\12s\273\346b\355\204\327\312\37\226I`& ... {status=0x0, info=256}, "\204\252\207\363\\311a\350\262^\375\370\251\213\367\327\255\6`t\360\352>e\245;mO\375F\232\352T\33\275\352Hy\17HgD\225\34m\332\330\276*}\2710\2\234\202\257R\276\326\206\254\16\2\31Yv\275\267^\307(Q6wp\256_5q\227\&+W8\236\312l\1\267\214\206i{m\310\357By\374\0mi>`\343Ag\363\322.\265Y3\230\250\200xj\232\10u\357\242\34v\1\367\322z\366\255\262\20\334EA\241\315^4+\317d\316\276\11\16\255p\345\253"\310p:\333\265\4&\260)\12s\273\346b\355\204\327\312\37\226I`&"\301\304\207\3672"\11\177X*.e\225\206\351\215\315\216\220\12W2M\3'g\376\344:\32\234Y\26\260\265\371,\22\3068.\3051\226\341/\326\273\302fW\245\20\245s\352\35\13\20\345\253E\302\307\374\376\337\321Dx\2467E\357\302C7n", ) \11\177X*.e\225\206\351\215\315\216\220\12W2M\3'g\376\344:\32\234Y\26\260\265\371,\22\3068.\3051\226\341/\326\273\302fW\245\20\245s\352\35\13\20\345\253E\302\307\374\376\337\321Dx\2467E\357\302C7n", ) == 0x0
 01184  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01185  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01186  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01187  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01188  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01189  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01190  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01191  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01192  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01193  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "I-\5\34\241@[\346\203\276\303\304i\256\373:K\367\323\271\205\321\316K\220A&=\332\234U\240\5\226]\345\366&\17J\22\205^6\357\212Z\232\22:y\263\242\253l\366/m\205u\242\314\206<\237Y\360r\371$c\257J2\270f\337\3431\26", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "I-\5\34\241@[\346\203\276\303\304i\256\373:K\367\323\271\205\321\316K\220A&=\332\234U\240\5\226]\345\366&\17J\22\205^6\357\212Z\232\22:y\263\242\253l\366/m\205u\242\314\206<\237Y\360r\371$c\257J2\270f\337\3431\26", 80, ... ) , 80, ... ) == 0x0
 01194  1744   NtClose  (-2147482128, ... ) == 0x0
 01184  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\214\27\252\23C\27\254X\236\350\33\246Z\227\376\14M\223H\4ug(\327]\360G8\243^e\270\257X\25og\313\372Y\20G\37\205\365\207\346jf%K\2663\16\304\26\365\3\305\374\222\247\26\320\330q\367i\257\253\240F\35\331\325\270}p\267\220!&\262\264\2441"\344\15+\225\237\365\244dK\232T*Lh\220+\205\274\3721\322v\275\261\351\4\347\324\14\235\206K\277,D\261\323\200h\327\2065\267\351y\365\10\7\225\34K\11\312m\312c\22\32\10\277W\376\205:\35\0vA\371k\247\257^Y\320\307\\31j\357\357\363\237\313\224\22P;\325\36\10.-0H\204[\300\276"N\337#\331\357Ix\34\3624[\256&\215\5\346\3549\262)$o\377\1\302\257\254\272\256\33\321v\247XM\14U\337\326\204S\260\347\236\341\362\323\351\222\36\262\3566\46\343\15\236\356\326\212\17.N\243;x\241", ) \344\15+\225\237\365\244dK\232T*Lh\220+\205\274\3721\322v\275\261\351\4\347\324\14\235\206K\277,D\261\323\200h\327\2065\267\351y\365\10\7\225\34K\11\312m\312c\22\32\10\277W\376\205:\35\0vA\371k\247\257^Y\320\307\\31j\357\357\363\237\313\224\22P;\325\36\10.-0H\204[\300\276 ... {status=0x0, info=256}, "\214\27\252\23C\27\254X\236\350\33\246Z\227\376\14M\223H\4ug(\327]\360G8\243^e\270\257X\25og\313\372Y\20G\37\205\365\207\346jf%K\2663\16\304\26\365\3\305\374\222\247\26\320\330q\367i\257\253\240F\35\331\325\270}p\267\220!&\262\264\2441"\344\15+\225\237\365\244dK\232T*Lh\220+\205\274\3721\322v\275\261\351\4\347\324\14\235\206K\277,D\261\323\200h\327\2065\267\351y\365\10\7\225\34K\11\312m\312c\22\32\10\277W\376\205:\35\0vA\371k\247\257^Y\320\307\\31j\357\357\363\237\313\224\22P;\325\36\10.-0H\204[\300\276"N\337#\331\357Ix\34\3624[\256&\215\5\346\3549\262)$o\377\1\302\257\254\272\256\33\321v\247XM\14U\337\326\204S\260\347\236\341\362\323\351\222\36\262\3566\46\343\15\236\356\326\212\17.N\243;x\241", ) , ) == 0x0
 01195  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01196  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01197  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01198  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01199  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01200  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01201  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01202  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01203  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01204  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "w\346,\225\256\222\320\335\202\210\225\266-\20\27\367\17\236\357\324SWv\363\306\215\20\25\325\34\241\275\375\376f-\263\241qE\325\225k\360P\275\334\227\362\224\313W\343\3\32\217\340B\200!\10\231\270t\32!\364\225\273\256*\242A\11\246\300%\345\300\377", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "w\346,\225\256\222\320\335\202\210\225\266-\20\27\367\17\236\357\324SWv\363\306\215\20\25\325\34\241\275\375\376f-\263\241qE\325\225k\360P\275\334\227\362\224\313W\343\3\32\217\340B\200!\10\231\270t\32!\364\225\273\256*\242A\11\246\300%\345\300\377", 80, ... ) , 80, ... ) == 0x0
 01205  1744   NtClose  (-2147482128, ... ) == 0x0
 01195  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\221\377\341\265Zd|I\25.\243\6\322\336J\304\11\217\2657\237C\217\346\312\332\3623z\233\2424\240\0\323/\337w\256\341\241<\202O\241{\344\3061\364Q\316\325x\374\251\23@\356\202\245z\224\273\\2624\346[\213\336\216\245\267aj\21\240;#\242\345\327\201\365\10\266~f\36\31j @}\237\223\377\257\305X\304M\2535\204^a.?\14\14\275Ez\201\202\271\317\310J\352t<\201>\353:\231+\356b&\314\3152\334\210\375\246\10Zyw/\277\11\217\354\314\2066\331\276\333F\267.P\256\17\207\255J\355\36q\335b@\220A\224\25n\307\234\235E\260\32\362KwB\34\361\215\16\207p\272\261\260\337-_6\337{\1\4G\256.\2\267o\350\350i\251\14\344\235\206qX\256\25Cc\257\364\355.u\335N\0\265\330D`\343:T\20\32f\263\343'\203\333RI\326\242]\234M\240\363", ) , ) == 0x0
 01206  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01207  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01208  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01209  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01210  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01211  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01212  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01213  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01214  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01215  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "\315%\2575\271\312\4}\241\244-\330\245\310@\376*'/)\362\301\306\177\2\227\220\322\264\365\2166\\5\375\221\206A\305\35Q\230\344\374\355\306\230\234?\7\220\21\320\37\205~\5\363xX\313\301\223C\271\\265f\364\2743\314|\22\336\17b\234\361\242", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "\315%\2575\271\312\4}\241\244-\330\245\310@\376*'/)\362\301\306\177\2\227\220\322\264\365\2166\\5\375\221\206A\305\35Q\230\344\374\355\306\230\234?\7\220\21\320\37\205~\5\363xX\313\301\223C\271\\265f\364\2743\314|\22\336\17b\234\361\242", 80, ... ) , 80, ... ) == 0x0
 01216  1744   NtClose  (-2147482128, ... ) == 0x0
 01206  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\272U\312\235U\12\17i\17\246\200\355\27=\306\377"\361\312\377\276\377\204X\243<\312\21\316\331<\236\213\357\366\22\374`\353I\353/\230\12-8\335}>\20Ww\235\261\363\204\36\16\370\12\345gJF\323\200N\303rP\305\24\215(\207<\6\261\311=\374f\31\370a\253\340P6\250[ST\24\300Sh]\265\231\212\373\245\11\226\-\312O\372"\355\263\262\273p2=3\30580\367\256\216\222n\317\310$o\261\34\2678\17\246T\225\335t\h`\250\243N\324\340\20]\6W\377\4\256\265%U\270\323%\273\376\222\246\17C2w~\230\326\204q\5\205D\222\225\32,\236o\332"+\335\255\312\347I\311\216}\7\325\276Hl\355\223f\316\254\221\16\256\3635\254\325]\30%T\210\256yB\237\200.\237az\34J5\327\332\302\376_\364\222\3262\243\276\226\21r\362\34\364\342\254C\206\335\216\307k\222\372", ) \361\312\377\276\377\204X\243<\312\21\316\331<\236\213\357\366\22\374`\353I\353/\230\12-8\335}>\20Ww\235\261\363\204\36\16\370\12\345gJF\323\200N\303rP\305\24\215(\207<\6\261\311=\374f\31\370a\253\340P6\250[ST\24\300Sh]\265\231\212\373\245\11\226\-\312O\372 ... {status=0x0, info=256}, "\272U\312\235U\12\17i\17\246\200\355\27=\306\377"\361\312\377\276\377\204X\243<\312\21\316\331<\236\213\357\366\22\374`\353I\353/\230\12-8\335}>\20Ww\235\261\363\204\36\16\370\12\345gJF\323\200N\303rP\305\24\215(\207<\6\261\311=\374f\31\370a\253\340P6\250[ST\24\300Sh]\265\231\212\373\245\11\226\-\312O\372"\355\263\262\273p2=3\30580\367\256\216\222n\317\310$o\261\34\2678\17\246T\225\335t\h`\250\243N\324\340\20]\6W\377\4\256\265%U\270\323%\273\376\222\246\17C2w~\230\326\204q\5\205D\222\225\32,\236o\332"+\335\255\312\347I\311\216}\7\325\276Hl\355\223f\316\254\221\16\256\3635\254\325]\30%T\210\256yB\237\200.\237az\34J5\327\332\302\376_\364\222\3262\243\276\226\21r\362\34\364\342\254C\206\335\216\307k\222\372", ) +\335\255\312\347I\311\216}\7\325\276Hl\355\223f\316\254\221\16\256\3635\254\325]\30%T\210\256yB\237\200.\237az\34J5\327\332\302\376_\364\222\3262\243\276\226\21r\362\34\364\342\254C\206\335\216\307k\222\372", ) == 0x0
 01217  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01218  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01219  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01220  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01221  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01222  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01223  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01224  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01225  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01226  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "Y\276\254Q\361}5\224\14\177'\376f\375[\204\15A9c\336>"0, 3,  (-2147482128, "Seed", 0, 3, "Y\276\254Q\361}5\224\14\177'\376f\375[\204\15A9c\336>"233\261\2065P\356\226\253\30\11\266\261Uku\227\312\274DTDk\370\344\271\24\34g\354\214\1\306\304? \327[i\366\236\266\331?$\315\257\252{7L\345(\211", 80, ... ) == 0x0
 01227  1744   NtClose  (-2147482128, ... ) == 0x0
 01217  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\204\327\274\300\332\357\26\315%\377W\310UQ\361\302L\333\200/\334\242\235\371Jf\267\375!\12h9\300*\376\340\200\357s\314\11\2716\345ST\332a\336\20\340i\302\353\260\305\275\242aC=\246\351\6ig\236\320\322\266'\334\243p\7\224\337\335\370@v3PN\243\250\264k\267\336a\177\342'\343\3367~\201B}\235\317[k\35{\330\231\323S\324\366\200;!\203\251,a\227q\320BsF", ) , ) == 0x0
 01228  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01229  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01230  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01231  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01232  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01233  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01234  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01235  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01236  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01237  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, "M\14\27\222p\270\314\362T0\13\251\177\25\0PG\37\337\360|\325U\374\372\11\25\224\317<\222\2-\320\13\315F\351)x, 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, "M\14\27\222p\270\314\362T0\13\251\177\25\0PG\37\337\360|\325U\374\372\11\25\224\317<\222\2-\320\13\315F\351)x, 80, ... ) , 80, ... ) == 0x0
 01238  1744   NtClose  (-2147482128, ... ) == 0x0
 01228  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\376%y\345\13\375}\15\347K\315\300\363P\237\371\341\244e\231\20\357\337\256\3\303\365\377\340P\374\7\202\340g~\303J\341\235*\330\16\300Ih\17jS\260q\327\371\327\300.\275[\340\234\243\361-\350\321\12\213&V\327\252\315X"EO{\324k\230\365\263\11\6,z\316M\373\200\36~\247\364\2166\212~\310\375t\330\231\221A\326\272\341\2653\203\376\357Z^Zv\7O\207\334\357\3R,^\236\361(\335\17y\311\21I\21o\320\222Yv\376\232\203\3169\270[e\350\244P1\211'\24\224\267\242\317\263\367Cv\231f\4K\361\314\11\2219\355"\216@\353\251\311\243\302\247\10e9h"\20\206rCn\350\236\324\275\234T\364\263\300E\261ma1dd\370\244j\221SX\362\225\111\371\346E\144\34R\216t\351\344x\373\353\14w\275M\354\335\2\2564\202n~\335\13\325\313\207\372RS\12)\276", ) EO{\324k\230\365\263\11\6,z\316M\373\200\36~\247\364\2166\212~\310\375t\330\231\221A\326\272\341\2653\203\376\357Z^Zv\7O\207\334\357\3R,^\236\361(\335\17y\311\21I\21o\320\222Yv\376\232\203\3169\270[e\350\244P1\211'\24\224\267\242\317\263\367Cv\231f\4K\361\314\11\2219\355 ... {status=0x0, info=256}, "\376%y\345\13\375}\15\347K\315\300\363P\237\371\341\244e\231\20\357\337\256\3\303\365\377\340P\374\7\202\340g~\303J\341\235*\330\16\300Ih\17jS\260q\327\371\327\300.\275[\340\234\243\361-\350\321\12\213&V\327\252\315X"EO{\324k\230\365\263\11\6,z\316M\373\200\36~\247\364\2166\212~\310\375t\330\231\221A\326\272\341\2653\203\376\357Z^Zv\7O\207\334\357\3R,^\236\361(\335\17y\311\21I\21o\320\222Yv\376\232\203\3169\270[e\350\244P1\211'\24\224\267\242\317\263\367Cv\231f\4K\361\314\11\2219\355"\216@\353\251\311\243\302\247\10e9h"\20\206rCn\350\236\324\275\234T\364\263\300E\261ma1dd\370\244j\221SX\362\225\111\371\346E\144\34R\216t\351\344x\373\353\14w\275M\354\335\2\2564\202n~\335\13\325\313\207\372RS\12)\276", ) \20\206rCn\350\236\324\275\234T\364\263\300E\261ma1dd\370\244j\221SX\362\225\111\371\346E\144\34R\216t\351\344x\373\353\14w\275M\354\335\2\2564\202n~\335\13\325\313\207\372RS\12)\276", ) == 0x0
 01239  1744   NtDeviceIoControlFile  (44, 0, 0x0, 0x0, 0x390008,  (44, 0, 0x0, 0x0, 0x390008, "\277<\4\311U\355\231\5\223)\354\362\321\206\255"\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\250\307\322-\325 \312\336\262m\232H\22G9\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01240  1744   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01241  1744   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01242  1744   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01243  1744   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01244  1744   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01245  1744   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01246  1744   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01247  1744   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482128, 2, ) }, 0, 0x0, 0, ... -2147482128, 2, ) == 0x0
 01248  1744   NtSetValueKey  (-2147482128,  (-2147482128, "Seed", 0, 3, ";\11\232\304\7T*\273\266\3\245LJ\255s\3327\346\315\37\27\221R\240\255\211z\311>\202\21q\232\366@yH\305\215/\276\240\353\374~\347\373\2769z\375\205\347\304\227\355\246\2507x\313\272 \244\205\321`10\332\370|\255l\32\201f\274&<", 80, ... ) , 0, 3,  (-2147482128, "Seed", 0, 3, ";\11\232\304\7T*\273\266\3\245LJ\255s\3327\346\315\37\27\221R\240\255\211z\311>\202\21q\232\366@yH\305\215/\276\240\353\374~\347\373\2769z\375\205\347\304\227\355\246\2507x\313\272 \244\205\321`10\332\370|\255l\32\201f\274&<", 80, ... ) , 80, ... ) == 0x0
 01249  1744   NtClose  (-2147482128, ... ) == 0x0
 01239  1744   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\2758\26g&T\310\355An\254\331\237\272A\22\342m\322S\327\17\4\35\364\335}5\211\373\372\17(l\374\210o1\0\212\26^\27\267\350\277L\15\201\201h\274C-O\255\24\272^ \320_\3\277\35Q.\337\206y\36\177\354U#\12E*A\37\215\340h\323'\33\10\241\244\334\15\225\310\305\15\317\322\300\214\364U\201\15j\256\301\343:\351\361\320\271\7o\335E]\7S\255\37%\30\207\4\21\234_An\343]\11\252~7\356\35h\35\272\360\1"W\262\345*\350\177\345\354\334:\320m\366\31\13Jj8\254\35\265\367'\304\302\256\350\247\16\272\32\361\373i\32\212n4\256\24\374x\2526\276-\276\335;\231q\301\200\332\325\324\333\312\356*?\340\23\205\210W\326&X\307n\246_\232\234\177\220\337\266\300\270r\313\271\26E\251=6\216\260nB4\33\331\255\36\214\353\313\311\354\344\6\331\225\217\20\270", ) W\262\345*\350\177\345\354\334:\320m\366\31\13Jj8\254\35\265\367'\304\302\256\350\247\16\272\32\361\373i\32\212n4\256\24\374x\2526\276-\276\335;\231q\301\200\332\325\324\333\312\356*?\340\23\205\210W\326&X\307n\246_\232\234\177\220\337\266\300\270r\313\271\26E\251=6\216\260nB4\33\331\255\36\214\353\313\311\354\344\6\331\225\217\20\270", ) == 0x0
 01250  1744   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 132, ) == 0x0
 01251  1744   NtConnectPort  ( ("\RPC Control\ntsvcs", {12, 2, 1, 1}, 0x0, 0x0, 1238540, 188, ... 136, 0x0, 0x0, 0x0, 188, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238540, 188, ... 136, 0x0, 0x0, 0x0, 188, ) == 0x0
 01252  1744   NtRequestWaitReplyPort  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257}  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257} "\0\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0`\2\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0?dO\304:\325p\201`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\310\35\30\256\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1736, 1744, 75513, 0} "\7\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0?dO\304:\325p\201`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\310\35\30\256\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ... {200, 224, reply, 0, 1736, 1744, 75513, 0}  (136, {200, 224, new_msg, 0, 1355632, 12, 2, 257} "\0\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0`\2\24\0\4\0\0\0\2\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0?dO\304:\325p\201`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\310\35\30\256\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... {200, 224, reply, 0, 1736, 1744, 75513, 0} "\7\0\0\0\274\0\0\0\3443\24\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\2\0\0\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0?dO\304:\325p\201`\227\24\0`\2\24\0\12\0\0\0\0\0\0\0\0\0\0 (\0\0\0h\227\24\0\310\35\30\256\240\1\24\0\30\257\24\0\\1\24\0\0\0\0\0\0\0\0\0\30\257\24\0P\0\0\0 \257\24\0\360\6\221|`\2\24\0P\0\0\0\346\31\0\0\0\0\24\0\214\344\22\0\372\31\221| \354\22\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01253  1744   NtRequestWaitReplyPort  (136, {112, 136, new_msg, 0, 44, 3, 20, 0}  (136, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\27\0\245}d@\240\5u8poe8"\0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {68, 92, reply, 0, 1736, 1744, 75514, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2746\13\0" ) \0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 (136, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\27\0\245}d@\240\5u8poe8"\0$\0\377\377\377\377\22\0\0\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0P\0r\0i\0v\0i\0l\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {68, 92, reply, 0, 1736, 1744, 75514, 0} "\2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2746\13\0" ) \2\314\274\201\1\0[\200\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367U&\\200d=\266\367\306\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2746\13\0" ) == 0x0
 01254  1744   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 01255  1744   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01256  1744   NtOpenProcessToken  (-1, 0x20, ... 140, ) == 0x0
 01257  1744   NtAdjustPrivilegesToken  (140, 0, 1352496, 0, 0, 0, ... ) == 0x0
 01258  1744   NtClose  (140, ... ) == 0x0
 01259  1744   NtRequestWaitReplyPort  (136, {140, 164, new_msg, 0, 1736, 1744, 75514, 0}  (136, {140, 164, new_msg, 0, 1736, 1744, 75514, 0} "\1\314\0\0A\2\26\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\306\0\0\0\0\0\0\0\0\0\0\0\2746\13\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1736, 1744, 75515, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\274\1\0\0\360>\11\0" )  ... {40, 64, reply, 0, 1736, 1744, 75515, 0}  (136, {140, 164, new_msg, 0, 1736, 1744, 75514, 0} "\1\314\0\0A\2\26\0\377\3\37\0\240\314\274\201\0\374\340\377H=\266\367\377\377\377\377d=\266\367\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\306\0\0\0\0\0\0\0\0\0\0\0\2746\13\0e\0g\0e\0l\0e\0g\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {40, 64, reply, 0, 1736, 1744, 75515, 0} "\2\0\370\0\4\0\335\341<\0\370\0\226\245\335\341\264\311\275\201:\332R\200X{\266\367\]\222\201\274\1\0\0\360>\11\0" )  ) == 0x0
 01260  1744   NtRequestWaitReplyPort  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0}  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" ... {64, 88, reply, 56, 1736, 1744, 75516, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" )  ... {64, 88, reply, 56, 1736, 1744, 75516, 0}  (136, {64, 88, new_msg, 56, 1354664, 1239044, 1239144, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" ... {64, 88, reply, 56, 1736, 1744, 75516, 0} "\10\350\22\0@\0\24\0\346\277\347wh\350\22\0\4\350\22\0\20\0\0\0\300j\222w\34\254\24\0\1\0\0\08\261\24\0\274\1\0\0\274\1\0\0\360>\11\0\0\0\0\0\0\0\0\0\20\257\24\0" )  ) == 0x0
 01261  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 140, {status=0x0, info=1}, ) }, 3, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01262  1744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 144, ) }, ... 144, ) == 0x0
 01263  1744   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01264  1744   NtClose  (144, ... ) == 0x0
 01265  1744   NtQueryVolumeInformationFile  (140, 1237816, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01266  1744   NtClose  (140, ... ) == 0x0
 01267  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 140, {status=0x0, info=1}, ) }, 3, 16, ... 140, {status=0x0, info=1}, ) == 0x0
 01268  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01269  1744   NtClose  (140, ... ) == 0x0
 01270  1744   NtQueryInformationFile  (-1, 1238868, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01271  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238820,  (0x100080, {24, 0, 0x40, 0, 1238820, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01272  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01273  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01274  1744   NtClose  (-2147482128, ... ) == 0x0
 01272  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01275  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01276  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01277  1744   NtClose  (-2147482128, ... ) == 0x0
 01275  1744   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01278  1744   NtClose  (140, ... ) == 0x0
 01279  1744   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 01280  1744   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01281  1744   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01282  1744   NtClose  (140, ... ) == 0x0
 01283  1744   NtQueryValueKey  (144,  (144, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01284  1744   NtQueryValueKey  (144,  (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0\5\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0\5\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) , Partial, 710, ... TitleIdx=0, Type=3, Data= (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0\5\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0\5\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\6\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) }, 710, ) == 0x0
 01285  1744   NtClose  (144, ... ) == 0x0
 01286  1744   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 144, ) }, ... 144, ) == 0x0
 01287  1744   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, ... 140, ) }, ... 140, ) == 0x0
 01288  1744   NtClose  (144, ... ) == 0x0
 01289  1744   NtQueryValueKey  (140,  (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01290  1744   NtClose  (140, ... ) == 0x0
 01291  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 140, {status=0x0, info=0}, ) }, 3, 96, ... 140, {status=0x0, info=0}, ) == 0x0
 01292  1744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 144, ) }, ... 144, ) == 0x0
 01293  1744   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01294  1744   NtClose  (144, ... ) == 0x0
 01295  1744   NtQueryVolumeInformationFile  (140, 1237816, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01296  1744   NtClose  (140, ... ) == 0x0
 01297  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&Signature14C814C8Offset7E00Length1FF582800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 140, {status=0x0, info=0}, ) }, 3, 16, ... 140, {status=0x0, info=0}, ) == 0x0
 01298  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (140, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01299  1744   NtClose  (140, ... ) == 0x0
 01300  1744   NtQueryInformationFile  (-1, 1238868, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01301  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1238820,  (0x100080, {24, 0, 0x40, 0, 1238820, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01302  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01303  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01304  1744   NtClose  (-2147482128, ... ) == 0x0
 01302  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01305  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0008,  (140, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01306  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01307  1744   NtClose  (-2147482128, ... ) == 0x0
 01305  1744   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0\310\24\310\24\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01308  1744   NtClose  (140, ... ) == 0x0
 01309  1744   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01310  1744   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01311  1744   NtClose  (140, ... ) == 0x0
 01312  1744   NtQueryValueKey  (144,  (144, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01313  1744   NtQueryValueKey  (144,  (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) , Partial, 710, ... TitleIdx=0, Type=3, Data= (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) \5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0 (144, "Data", Partial, 710, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\01\04\0C\08\01\04\0C\08\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\01\0F\0F\05\08\02\08\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\0\0\0\0\0\306\2\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\220\0\0\0"\5\0\0\310\6\0\0\320\6\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0#\5\0\0\310\6\0\0\320\6\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0H\0\0\0P\347\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\214\347\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0"}, 710, ) }, 710, ) == 0x0
 01314  1744   NtClose  (144, ... ) == 0x0
 01315  1744   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 144, ) }, ... 144, ) == 0x0
 01316  1744   NtOpenKey  (0x2000000, {24, 144, 0x40, 0, 0,  (0x2000000, {24, 144, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 140, ) }, ... 140, ) == 0x0
 01317  1744   NtClose  (144, ... ) == 0x0
 01318  1744   NtQueryValueKey  (140,  (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (140, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01319  1744   NtClose  (140, ... ) == 0x0
 01320  1744   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01321  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01322  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01323  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01324  1744   NtClose  (-2147482128, ... ) == 0x0
 01322  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01325  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01326  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01327  1744   NtClose  (-2147482128, ... ) == 0x0
 01325  1744   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01328  1744   NtClose  (140, ... ) == 0x0
 01329  1744   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01330  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01331  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01332  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01333  1744   NtClose  (-2147482128, ... ) == 0x0
 01331  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01334  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\03\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01335  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=0}, ) }, 0, 64, ... -2147482128, {status=0x0, info=0}, ) == 0x0
 01336  1744   NtClose  (-2147482128, ... ) == 0x0
 01334  1744   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01337  1744   NtClose  (140, ... ) == 0x0
 01338  1744   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01339  1744   NtSetValueKey  (140,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01340  1744   NtClose  (140, ... ) == 0x0
 01341  1744   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01342  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01343  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01344  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01345  1744   NtClose  (-2147482128, ... ) == 0x0
 01343  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01346  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01347  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01348  1744   NtClose  (-2147482128, ... ) == 0x0
 01346  1744   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01349  1744   NtClose  (140, ... ) == 0x0
 01350  1744   NtQueryInformationFile  (-1, 1240208, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01351  1744   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1240160,  (0x100080, {24, 0, 0x40, 0, 1240160, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 140, {status=0x0, info=0}, ) == 0x0
 01352  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01353  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01354  1744   NtClose  (-2147482128, ... ) == 0x0
 01352  1744   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01355  1744   NtDeviceIoControlFile  (140, 0, 0x0, 0x0, 0x6d0034,  (140, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\0a\0c\05\03\0e\07\0d\00\0-\0b\09\06\0f\0-\01\01\0d\0b\0-\0a\04\08\08\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01356  1744   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{ac53e7d0-b96f-11db-a488-806d6172696f}"}, 0, 64, ... -2147482128, {status=0x0, info=1}, ) }, 0, 64, ... -2147482128, {status=0x0, info=1}, ) == 0x0
 01357  1744   NtClose  (-2147482128, ... ) == 0x0
 01355  1744   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01358  1744   NtClose  (140, ... ) == 0x0
 01359  1744   NtCreateKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac53e7d0-b96f-11db-a488-806d6172696f}\"}, 0, 0x0, 0, ... 140, 2, ) }, 0, 0x0, 0, ... 140, 2, ) == 0x0
 01360  1744   NtSetValueKey  (140,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (140, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01361  1744   NtClose  (140, ... ) == 0x0
 01362  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01363  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01364  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 140, {status=0x0, info=1}, ) }, 3, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01365  1744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 144, ) }, ... 144, ) == 0x0
 01366  1744   NtQuerySymbolicLinkObject  (144, ...  (144, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01367  1744   NtClose  (144, ... ) == 0x0
 01368  1744   NtQueryVolumeInformationFile  (140, 1239204, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369  1744   NtClose  (140, ... ) == 0x0
 01370  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01371  1744   NtOpenKey  (0x2000000, {24, 72, 0x40, 0, 0,  (0x2000000, {24, 72, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 140, ) }, ... 140, ) == 0x0
 01372  1744   NtOpenKey  (0x2000000, {24, 140, 0x40, 0, 0,  (0x2000000, {24, 140, 0x40, 0, 0, "{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, ... 144, ) }, ... 144, ) == 0x0
 01373  1744   NtClose  (140, ... ) == 0x0
 01374  1744   NtQueryValueKey  (144,  (144, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01375  1744   NtClose  (144, ... ) == 0x0
 01376  1744   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\Volume{ac53e7d3-b96f-11db-a488-806d6172696f}\"}, 1240336, ... ) }, 1240336, ... ) == 0x0
 01377  1744   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01378  1744   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 144, {status=0x0, info=1}, ) }, 3, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01379  1744   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 140, ) }, ... 140, ) == 0x0
 01380  1744   NtQuerySymbolicLinkObject  (140, ...  (140, ... "\Device\WinDfs\U:0000000000009f43", 66, ) , 66, ) == 0x0
 01381  1744   NtClose  (140, ... ) == 0x0
 01382  1744   NtQueryVolumeInformationFile  (144, 1241076, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01383  1744   NtClose  (144, ... ) == 0x0
 01384  1744   NtCreateEvent  (0x1f0003, {24, 48, 0x80, 1339720, 0,  (0x1f0003, {24, 48, 0x80, 1339720, 0, "ShellCopyEngineFinished"}, 0, 0, ... 144, ) }, 0, 0, ... 144, ) == 0x0
 01385  1744   NtSetEvent  (144, ... 0x0, ) == 0x0
 01386  1744   NtClose  (144, ... ) == 0x0
 01387  1744   NtClearEvent  (68, ... ) == 0x0
 01388  1744   NtClose  (68, ... ) == 0x0
 01389  1744   NtSetThreadExecutionState  (-2147483648, 1244004, ... ) == 0x0
 01390  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 01391  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion"}, ... 68, ) }, ... 68, ) == 0x0
 01392  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01393  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01394  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01395  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01396  1744   NtClose  (68, ... ) == 0x0
 01397  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01398  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 01399  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01400  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01402  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01403  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01404  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01405  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01406  1744   NtClose  (144, ... ) == 0x0
 01407  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408  1744   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01410  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01411  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01412  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01413  1744   NtClose  (144, ... ) == 0x0
 01414  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01415  1744   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416  1744   NtClose  (70, ... ) == 0x0
 01417  1744   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion"}, ... 68, ) }, ... 68, ) == 0x0
 01418  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01419  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01420  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01421  1744   NtQueryValueKey  (68,  (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (68, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 01422  1744   NtClose  (68, ... ) == 0x0
 01423  1744   NtDelayExecution  (0, {-440000, -1}, ... ) == 0x0
 01424  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01425  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01427  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01428  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01429  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01430  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01431  1744   NtClose  (144, ... ) == 0x0
 01432  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433  1744   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01435  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01436  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01437  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01438  1744   NtClose  (144, ... ) == 0x0
 01439  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440  1744   NtQueryValueKey  (70,  (70, "version", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441  1744   NtClose  (70, ... ) == 0x0
 01442  1744   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01443  1744   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01444  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 68, ) }, ... 68, ) == 0x0
 01445  1744   NtCreateKey  (0x20006, {24, 68, 0x40, 0, 0,  (0x20006, {24, 68, 0x40, 0, 0, "WR"}, 0, "", 0, ... 144, 2, ) }, 0, "", 0, ... 144, 2, ) == 0x0
 01446  1744   NtClose  (68, ... ) == 0x0
 01447  1744   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01448  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01449  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01450  1744   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01451  1744   NtClose  (68, ... ) == 0x0
 01452  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453  1744   NtSetValueKey  (146,  (146, "version", 0, 1, "7\03\0\0\0", 6, ... , 0, 1,  (146, "version", 0, 1, "7\03\0\0\0", 6, ... , 6, ...
 01454  1744   NtSetInformationFile  (-2147482448, -134732432, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01453  1744   NtSetValueKey  ... ) == 0x0
 01455  1744   NtClose  (146, ... ) == 0x0
 01456  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 01457  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01458  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01459  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01460  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01461  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01462  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 144, ) }, ... 144, ) == 0x0
 01464  1744   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01465  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01466  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01467  1744   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01468  1744   NtClose  (68, ... ) == 0x0
 01469  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01470  1744   NtQueryValueKey  (146,  (146, "nextupdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471  1744   NtClose  (146, ... ) == 0x0
 01472  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01473  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 144, ) }, ... 144, ) == 0x0
 01475  1744   NtQueryKey  (146, Name, 392, ... {Name= (146, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01476  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01477  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 68, ) == 0x0
 01478  1744   NtQueryInformationToken  (68, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01479  1744   NtClose  (68, ... ) == 0x0
 01480  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481  1744   NtQueryValueKey  (146,  (146, "nextupdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482  1744   NtClose  (146, ... ) == 0x0
 01483  1744   NtQueryKey  (66, Name, 382, ... {Name= (66, Name, 382, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01484  1744   NtOpenKey  (0x2000000, {24, 66, 0x40, 0, 0,  (0x2000000, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01486  1744   NtCreateKey  (0x20006, {24, 144, 0x40, 0, 0,  (0x20006, {24, 144, 0x40, 0, 0, "WR"}, 0, "", 0, ... 68, 2, ) }, 0, "", 0, ... 68, 2, ) == 0x0
 01487  1744   NtClose  (144, ... ) == 0x0
 01488  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01489  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01490  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01491  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01492  1744   NtClose  (144, ... ) == 0x0
 01493  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01494  1744   NtSetValueKey  (70,  (70, "nextupdate", 0, 4, "\37\236\21H", 4, ... ) , 0, 4,  (70, "nextupdate", 0, 4, "\37\236\21H", 4, ... ) , 4, ... ) == 0x0
 01495  1744   NtClose  (70, ... ) == 0x0
 01496  1744   NtDelayExecution  (0, {-350000, -1}, ... ) == 0x0
 01497  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 01498  1744   NtDelayExecution  (0, {-360000, -1}, ... ) == 0x0
 01499  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01500  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01501  1744   NtDelayExecution  (0, {-340000, -1}, ... ) == 0x0
 01502  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01503  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01504  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01505  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01506  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01507  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01508  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01509  1744   NtClose  (144, ... ) == 0x0
 01510  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01512  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01513  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01514  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01515  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01516  1744   NtClose  (144, ... ) == 0x0
 01517  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01518  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01519  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01520  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01521  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01522  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01523  1744   NtClose  (144, ... ) == 0x0
 01524  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01526  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01527  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01528  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01529  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01530  1744   NtClose  (144, ... ) == 0x0
 01531  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01533  1744   NtClose  (70, ... ) == 0x0
 01534  1744   NtQueryKey  (66, Name, 384, ... {Name= (66, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_CLASSES"}, 140, ) }, 140, ) == 0x0
 01535  1744   NtOpenKey  (0x20019, {24, 66, 0x40, 0, 0,  (0x20019, {24, 66, 0x40, 0, 0, "WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536  1744   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\WR"}, ... 68, ) }, ... 68, ) == 0x0
 01537  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR\"}, 78, ) }, 78, ) == 0x0
 01538  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01539  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01540  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01541  1744   NtClose  (144, ... ) == 0x0
 01542  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01543  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01544  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01545  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01546  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01547  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01548  1744   NtClose  (144, ... ) == 0x0
 01549  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01550  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01551  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01552  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01553  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01554  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01555  1744   NtClose  (144, ... ) == 0x0
 01556  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01557  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01558  1744   NtQueryKey  (70, Name, 392, ... {Name= (70, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\WR1"}, 78, ) }, 78, ) == 0x0
 01559  1744   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01560  1744   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 01561  1744   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01562  1744   NtClose  (144, ... ) == 0x0
 01563  1744   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003_Classes\WR"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01564  1744   NtQueryValueKey  (70,  (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (70, "cmd", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01565  1744   NtClose  (70, ... ) == 0x0
 01566  1744   NtDelayExecution  (0, {-1030000, -1}, ... ) == 0x0
 01567  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01568  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01569  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01570  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01571  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01572  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01573  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01574  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01575  1744   NtDelayExecution  (0, {-21360000, -1}, ... ) == 0x0
 01576  1744   NtDelayExecution  (0, {-21360000, -1}, ...
NtAddAtom(>)	1	NtUserGetThreadDesktop(>)	1	NtQueryVirtualMemory(>)	5	NtQueryInformationProcess(>)	18
NtCallbackReturn(>)	1	NtAdjustPrivilegesToken(>)	2	NtSetInformationProcess(>)	5	NtUserRegisterWindowMessage(>)	18
NtClearEvent(>)	1	NtContinue(>)	2	NtSetInformationThread(>)	5	NtOpenSection(>)	22
NtConnectPort(>)	1	NtCreateIoCompletion(>)	2	NtOpenThreadToken(>)	6	NtQueryAttributesFile(>)	22
NtCreateSemaphore(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryVolumeInformationFile(>)	6	NtOpenProcessTokenEx(>)	27
NtEnumerateValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtFsControlFile(>)	7	NtOpenThreadTokenEx(>)	27
NtFreeVirtualMemory(>)	1	NtOpenEvent(>)	2	NtQueryDefaultLocale(>)	7	NtQueryKey(>)	28
NtGdiCreateBitmap(>)	1	NtReadFile(>)	2	NtQueryDirectoryFile(>)	7	NtMapViewOfSection(>)	31
NtGdiInit(>)	1	NtSetEvent(>)	2	NtQuerySection(>)	7	NtQueryInformationToken(>)	31
NtGdiQueryFontAssocInfo(>)	1	NtSetThreadExecutionState(>)	2	NtOpenProcessToken(>)	8	NtDeviceIoControlFile(>)	42
NtGdiSelectBitmap(>)	1	NtUserGetDC(>)	2	NtQueryDefaultUILanguage(>)	8	NtAllocateVirtualMemory(>)	45
NtOpenKeyedEvent(>)	1	NtUserQueryWindow(>)	2	NtQueryInformationFile(>)	8	NtOpenFile(>)	47
NtOpenProcess(>)	1	NtWriteFile(>)	2	NtUnmapViewOfSection(>)	8	NtUserFindExistingCursorIcon(>)	52
NtQueryInstallUILanguage(>)	1	NtAccessCheck(>)	3	NtCreateFile(>)	9	NtUserRegisterClassExWOW(>)	61
NtQueryObject(>)	1	NtDuplicateObject(>)	3	NtQueryDebugFilterState(>)	9	NtQuerySystemInformation(>)	73
NtQuerySystemTime(>)	1	NtGdiCreateCompatibleDC(>)	3	NtRequestWaitReplyPort(>)	11	NtFlushInstructionCache(>)	78
NtRegisterThreadTerminatePort(>)	1	NtUserCallOneParam(>)	3	NtUserSystemParametersInfo(>)	11	NtDelayExecution(>)	85
NtSecureConnectPort(>)	1	NtCreateMutant(>)	4	NtCreateEvent(>)	13	NtQueryValueKey(>)	98
NtTestAlert(>)	1	NtSetInformationObject(>)	4	NtSetInformationFile(>)	14	NtOpenKey(>)	147
NtUserCallNoParam(>)	1	NtGdiGetStockObject(>)	5	NtCreateKey(>)	15	NtProtectVirtualMemory(>)	158
NtUserGetObjectInformation(>)	1	NtOpenSymbolicLinkObject(>)	5	NtCreateSection(>)	15	NtClose(>)	213
NtUserGetProcessWindowStation(>)	1	NtQuerySymbolicLinkObject(>)	5	NtSetValueKey(>)	17