Summary:


NtAccessCheck(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  19 

NtAddAtom(>)  1 
NtContinue(>)  2 
NtUserBuildHwndList(>)  5 
NtOpenThreadToken(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteFile(>)  5 
NtUnmapViewOfSection(>)  21 

NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtCreateSemaphore(>)  6 
NtCreateKey(>)  22 

NtCreateProcessEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtCreateSection(>)  27 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultLocale(>)  6 
NtQueryInformationFile(>)  27 

NtDeleteValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtOpenSection(>)  29 

NtGdiCreateBitmap(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtWaitForSingleObject(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtReleaseMutant(>)  2 
NtSetInformationFile(>)  8 
NtProtectVirtualMemory(>)  36 

NtGdiSelectBitmap(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtUserUnregisterClass(>)  46 

NtNotifyChangeKey(>)  1 
NtUserCloseDesktop(>)  2 
NtFsControlFile(>)  10 
NtMapViewOfSection(>)  48 

NtOpenKeyedEvent(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtUserDestroyWindow(>)  2 
NtQuerySection(>)  11 
NtQueryInformationProcess(>)  51 

NtQueryInformationJobObject(>)  1 
NtUserMessageCall(>)  2 
NtRequestWaitReplyPort(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtEnumerateValueKey(>)  3 
NtLockFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnlockFile(>)  13 
NtQueryAttributesFile(>)  68 

NtResumeThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtCreateEvent(>)  14 
NtQueryInformationToken(>)  72 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  3 
NtOpenProcessToken(>)  14 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtReadVirtualMemory(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserBuildNameList(>)  1 
NtSetEvent(>)  3 
NtQueryDebugFilterState(>)  16 
NtAllocateVirtualMemory(>)  88 

NtUserGetAtomName(>)  1 
NtUserGetObjectInformation(>)  3 
NtFlushInstructionCache(>)  17 
NtQuerySystemInformation(>)  88 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtFreeVirtualMemory(>)  17 
NtOpenFile(>)  90 

NtUserGetForegroundWindow(>)  1 
NtUserRemoveProp(>)  3 
NtQueryDirectoryFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtReadFile(>)  17 
NtUserQueryWindow(>)  128 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationThread(>)  17 
NtOpenKey(>)  288 

NtUserSetProp(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  18 
NtClose(>)  385 


Trace:
 00001   468   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   468   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   468   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   468   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   468   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   468   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   468   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   468   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   468   NtClose  (12, ... ) == 0x0
 00014   468   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   468   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   468   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   468   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   468   NtClose  (16, ... ) == 0x0
 00021   468   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   468   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   468   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   468   NtClose  (16, ... ) == 0x0
 00026   468   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   468   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   468   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   468   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 440, 468, 1486, 0} "\210\275\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 440, 468, 1486, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 440, 468, 1486, 0} "\210\275\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   468   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   468   NtClose  (16, ... ) == 0x0
 00036   468   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   468   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   468   NtClose  (28, ... ) == 0x0
 00041   468   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   468   NtClose  (28, ... ) == 0x0
 00045   468   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   468   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   468   NtClose  (28, ... ) == 0x0
 00049   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   468   NtClose  (28, ... ) == 0x0
 00052   468   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 440, 468, 1487, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 440, 468, 1487, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 440, 468, 1487, 0} "H\322\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00057   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00058   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00059   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   468   NtClose  (28, ... ) == 0x0
 00062   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   468   NtClose  (28, ... ) == 0x0
 00065   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   468   NtClose  (28, ... ) == 0x0
 00068   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   468   NtClose  (28, ... ) == 0x0
 00071   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00072   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00073   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00074   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00075   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00076   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00077   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   468   NtClose  (28, ... ) == 0x0
 00080   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   468   NtClose  (28, ... ) == 0x0
 00083   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   468   NtClose  (28, ... ) == 0x0
 00086   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00087   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00088   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00089   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   468   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00091   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00094   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00095   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00096   468   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00097   468   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00098   468   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   468   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00101   468   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   468   NtClose  (40, ... ) == 0x0
 00103   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00105   468   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00106   468   NtClose  (40, ... ) == 0x0
 00107   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   468   NtClose  (36, ... ) == 0x0
 00109   468   NtClose  (28, ... ) == 0x0
 00110   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00111   468   NtClose  (32, ... ) == 0x0
 00112   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00113   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00114   468   NtClose  (32, ... ) == 0x0
 00115   468   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00116   468   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00117   468   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00118   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00119   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00120   468   NtClose  (32, ... ) == 0x0
 00121   468   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00122   468   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00123   468   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00124   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00125   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00126   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00127   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00131   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   468   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   468   NtClose  (32, ... ) == 0x0
 00135   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   468   NtClose  (28, ... ) == 0x0
 00137   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00141   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   468   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   468   NtClose  (28, ... ) == 0x0
 00145   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   468   NtClose  (32, ... ) == 0x0
 00147   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00148   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00149   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00150   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00151   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00152   468   NtClose  (32, ... ) == 0x0
 00153   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00154   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00155   468   NtClose  (32, ... ) == 0x0
 00156   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00157   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00158   468   NtClose  (32, ... ) == 0x0
 00159   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00160   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00161   468   NtClose  (32, ... ) == 0x0
 00162   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 32, ) }, ... 32, ) == 0x0
 00163   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00164   468   NtClose  (32, ... ) == 0x0
 00165   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00166   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00167   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00168   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00169   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00170   468   NtClose  (32, ... ) == 0x0
 00171   468   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00172   468   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00173   468   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00174   468   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00175   468   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00176   468   NtClose  (32, ... ) == 0x0
 00177   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00178   468   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00179   468   NtClose  (32, ... ) == 0x0
 00180   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00181   468   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182   468   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   468   NtClose  (32, ... ) == 0x0
 00184   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00185   468   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   468   NtClose  (32, ... ) == 0x0
 00187   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00188   468   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00189   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00191   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 440, 468, 1502, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 440, 468, 1502, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 440, 468, 1502, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00192   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00194   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00195   468   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00196   468   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482196, ) == 0x0
 00197   468   NtQueryInformationToken  (-2147482196, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00198   468   NtQueryInformationToken  (-2147482196, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00199   468   NtClose  (-2147482196, ... ) == 0x0
 00200   468   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5570560, 4096, ) == 0x0
 00201   468   NtFreeVirtualMemory  (-1, (0x550000), 4096, 32768, ... (0x550000), 4096, ) == 0x0
 00202   468   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00203   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00204   468   NtQueryValueKey  (-2147482196,  (-2147482196, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   468   NtClose  (-2147482196, ... ) == 0x0
 00206   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00207   468   NtQueryValueKey  (-2147482196,  (-2147482196, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   468   NtClose  (-2147482196, ... ) == 0x0
 00209   468   NtQueryDefaultLocale  (0, -133690868, ... ) == 0x0
 00210   468   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00211   468   NtUserCallNoParam  (24, ... ) == 0x0
 00212   468   NtGdiCreateCompatibleDC  (0, ...
 00213   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5570560, 4096, ) == 0x0
 00212   468   NtGdiCreateCompatibleDC  ... ) == 0x100103c9
 00214   468   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00215   468   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00216   468   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0x470503d2
 00217   468   NtGdiCreateSolidBrush  (0, 0, ...
 00218   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8781824, 4096, ) == 0x0
 00217   468   NtGdiCreateSolidBrush  ... ) == 0x1d1003cd
 00219   468   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00220   468   NtGdiCreateCompatibleDC  (0, ... ) == 0xe0103df
 00221   468   NtGdiSelectBitmap  (234947551, 1191510994, ... ) == 0x185000f
 00222   468   NtUserGetThreadDesktop  (468, 0, ... ) == 0x2c
 00223   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00224   468   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00225   468   NtClose  (52, ... ) == 0x0
 00226   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00227   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00228   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00229   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00230   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00231   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00232   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00233   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00234   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00235   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00236   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00237   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00238   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00239   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00240   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00241   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00242   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00243   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00244   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00245   468   NtAllocateVirtualMemory  (-1, 5730304, 0, 4096, 4096, 32, ... 5730304, 4096, ) == 0x0
 00244   468   NtUserRegisterClassExWOW  ... ) == 0x810cc020
 00246   468   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00247   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00248   468   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00249   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00250   468   NtCallbackReturn  (0, 0, 0, ...
 00251   468   NtGdiInit  (... ) == 0x1
 00252   468   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00253   468   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00254   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00255   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8847360, 65536, ) == 0x0
 00256   468   NtAllocateVirtualMemory  (-1, 8847360, 0, 4096, 4096, 4, ... 8847360, 4096, ) == 0x0
 00257   468   NtAllocateVirtualMemory  (-1, 8851456, 0, 8192, 4096, 4, ... 8851456, 8192, ) == 0x0
 00258   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00259   468   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x880000), 0x0, 12288, ) == 0x0
 00260   468   NtClose  (52, ... ) == 0x0
 00261   468   NtAllocateVirtualMemory  (-1, 8859648, 0, 4096, 4096, 4, ... 8859648, 4096, ) == 0x0
 00262   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00264   468   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00265   468   NtClose  (52, ... ) == 0x0
 00266   468   NtQueryDefaultUILanguage  (1241756, ...
 00267   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00269   468   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   468   NtClose  (-2147482196, ... ) == 0x0
 00271   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00272   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   468   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00274   468   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   468   NtClose  (-2147482184, ... ) == 0x0
 00276   468   NtClose  (-2147482196, ... ) == 0x0
 00266   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   468   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00279   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00280   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00281   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 8323072, ) == 0x0
 00282   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   468   NtQueryDefaultUILanguage  (2013024600, ...
 00284   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00285   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00286   468   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   468   NtClose  (-2147482196, ... ) == 0x0
 00288   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00289   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   468   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00291   468   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   468   NtClose  (-2147482184, ... ) == 0x0
 00293   468   NtClose  (-2147482196, ... ) == 0x0
 00283   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00294   468   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00295   468   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00296   468   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00297   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1503, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 468, 1503, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1503, 0} " S\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\300\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00299   468   NtClose  (52, ... ) == 0x0
 00300   468   NtClose  (56, ... ) == 0x0
 00301   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00302   468   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00303   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00304   468   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00305   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00306   468   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   468   NtClose  (56, ... ) == 0x0
 00308   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00314   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00316   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00317   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00319   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00320   468   NtClose  (52, ... ) == 0x0
 00321   468   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 921600, ) == 0x0
 00322   468   NtClose  (60, ... ) == 0x0
 00323   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00324   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00325   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00326   468   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00327   468   NtClose  (60, ... ) == 0x0
 00328   468   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00329   468   NtClose  (52, ... ) == 0x0
 00330   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00331   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00332   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00333   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00334   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00335   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00336   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00337   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00338   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00339   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00340   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00341   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00342   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   468   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00352   468   NtQueryDefaultUILanguage  (1239368, ...
 00353   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00354   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00355   468   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00356   468   NtClose  (-2147482196, ... ) == 0x0
 00357   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00358   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   468   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00360   468   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   468   NtClose  (-2147482184, ... ) == 0x0
 00362   468   NtClose  (-2147482196, ... ) == 0x0
 00352   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00363   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00365   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00366   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00367   468   NtClose  (52, ... ) == 0x0
 00368   468   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x890000), 0x0, 4096, ) == 0x0
 00369   468   NtClose  (60, ... ) == 0x0
 00370   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00371   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00372   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00373   468   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00374   468   NtClose  (60, ... ) == 0x0
 00375   468   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x890000), {0, 0}, 4096, ) == 0x0
 00376   468   NtClose  (52, ... ) == 0x0
 00377   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00378   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00379   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00380   468   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x890000), 0x0, 4096, ) == 0x0
 00381   468   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00382   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 468, 1504, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1504, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00384   468   NtClose  (52, ... ) == 0x0
 00385   468   NtClose  (60, ... ) == 0x0
 00386   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 00387   468   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00388   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00389   468   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00390   468   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00391   468   NtUserGetDC  (0, ... ) == 0x1010050
 00392   468   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00393   468   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00394   468   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00395   468   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00396   468   NtAccessCheck  (1394776, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00397   468   NtClose  (60, ... ) == 0x0
 00398   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00399   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00400   468   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00401   468   NtClose  (60, ... ) == 0x0
 00402   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00403   468   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00404   468   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00405   468   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   468   NtClose  (52, ... ) == 0x0
 00407   468   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00408   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00409   468   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00411   468   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   468   NtClose  (64, ... ) == 0x0
 00413   468   NtClose  (52, ... ) == 0x0
 00414   468   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00415   468   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00416   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00417   468   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00418   468   NtClose  (52, ... ) == 0x0
 00419   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00420   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03b
 00421   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc03d
 00422   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00423   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc03f
 00424   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc041
 00426   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc043
 00428   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc045
 00429   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc047
 00431   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc049
 00433   468   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00434   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04b
 00436   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04d
 00438   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc04f
 00440   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc051
 00441   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00442   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc053
 00443   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00444   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc055
 00445   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc057
 00446   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00447   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc059
 00448   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00449   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05b
 00450   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00451   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05d
 00452   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00453   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc05f
 00454   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00455   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc017
 00456   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00457   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc019
 00458   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00459   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc018
 00460   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00461   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc01a
 00462   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00463   468   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810cc01c
 00464   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00465   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00466   468   NtAllocateVirtualMemory  (-1, 5734400, 0, 4096, 4096, 32, ... 5734400, 4096, ) == 0x0
 00465   468   NtUserRegisterClassExWOW  ... ) == 0x810cc01e
 00467   468   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00468   468   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810cc01b
 00469   468   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00470   468   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810cc068
 00471   468   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00472   468   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810cc06a
 00473   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00474   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00475   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc03b
 00476   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00477   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc03d
 00478   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00479   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00480   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc03f
 00481   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00482   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00483   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc041
 00484   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00485   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00486   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc043
 00487   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00488   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc045
 00489   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00490   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00491   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc047
 00492   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00493   468   NtUserFindExistingCursorIcon  (1242872, 1242888, 1243456, ... ) == 0x10011
 00494   468   NtUserRegisterClassExWOW  (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810cc049
 00495   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00496   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00497   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc04b
 00498   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00499   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00500   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc04d
 00501   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00502   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00503   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc04f
 00504   468   NtUserGetClassInfo  (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0
 00505   468   NtUserRegisterClassExWOW  (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810cc051
 00506   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00507   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00508   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc053
 00509   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00510   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00511   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc055
 00512   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc057
 00513   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00514   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00515   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc059
 00516   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00517   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10013
 00518   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc05b
 00519   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00520   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00521   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc05d
 00522   468   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00523   468   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00524   468   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810cc05f
 00525   468   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 52, ) == 0x0
 00526   468   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00527   468   NtClose  (52, ... ) == 0x0
 00528   468   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00529   468   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00530   468   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00531   468   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00532   468   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   468   NtClose  (52, ... ) == 0x0
 00534   468   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00535   468   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00536   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b
 00537   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d
 00538   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f
 00539   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041
 00540   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043
 00541   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045
 00542   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047
 00543   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049
 00544   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b
 00545   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d
 00546   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f
 00547   468   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051
 00548   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053
 00549   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055
 00550   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059
 00551   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b
 00552   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d
 00553   468   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f
 00554   468   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00555   468   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00556   468   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00557   468   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00558   468   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00559   468   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00560   468   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00561   468   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00562   468   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00563   468   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00564   468   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00565   468   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00566   468   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00567   468   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00568   468   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00569   468   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00570   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00572   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00573   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00574   468   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9109504, 262144, ) == 0x0
 00575   468   NtAllocateVirtualMemory  (-1, 9109504, 0, 4096, 4096, 4, ... 9109504, 4096, ) == 0x0
 00576   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00577   468   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9371648, 262144, ) == 0x0
 00578   468   NtAllocateVirtualMemory  (-1, 9371648, 0, 4096, 4096, 4, ... 9371648, 4096, ) == 0x0
 00579   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00580   468   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9633792, 262144, ) == 0x0
 00581   468   NtAllocateVirtualMemory  (-1, 9633792, 0, 4096, 4096, 4, ... 9633792, 4096, ) == 0x0
 00582   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583   468   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9895936, 262144, ) == 0x0
 00584   468   NtAllocateVirtualMemory  (-1, 9895936, 0, 4096, 4096, 4, ... 9895936, 4096, ) == 0x0
 00585   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00586   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00587   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00589   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 00590   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00591   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 64, ) == 0x0
 00592   468   NtClose  (52, ... ) == 0x0
 00593   468   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 90112, ) == 0x0
 00594   468   NtClose  (64, ... ) == 0x0
 00595   468   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00596   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239688, ... ) }, 1239688, ... ) == 0x0
 00597   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00598   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 52, ) == 0x0
 00599   468   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00600   468   NtClose  (64, ... ) == 0x0
 00601   468   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00602   468   NtClose  (52, ... ) == 0x0
 00603   468   NtQueryDefaultLocale  (1, 1241376, ... ) == 0x0
 00604   468   NtAllocateVirtualMemory  (-1, 9113600, 0, 4096, 4096, 4, ... 9113600, 4096, ) == 0x0
 00605   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00606   468   NtClose  (52, ... ) == 0x0
 00607   468   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   468   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00612   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00613   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   468   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00615   468   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00616   468   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00617   468   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00618   468   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00619   468   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00620   468   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00621   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00622   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00623   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00624   468   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00625   468   NtClose  (68, ... ) == 0x0
 00626   468   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00627   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00630   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00631   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00632   468   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   468   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   468   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   468   NtClose  (68, ... ) == 0x0
 00636   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00637   468   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   468   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   468   NtClose  (68, ... ) == 0x0
 00640   468   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   468   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00642   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   468   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   468   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00646   468   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00647   468   NtQueryDefaultUILanguage  (1241768, ...
 00648   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00649   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482196, ) == 0x0
 00650   468   NtQueryInformationToken  (-2147482196, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00651   468   NtClose  (-2147482196, ... ) == 0x0
 00652   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00653   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   468   NtOpenKey  (0x80000000, {24, -2147482196, 0x640, 0, 0,  (0x80000000, {24, -2147482196, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482184, ) }, ... -2147482184, ) == 0x0
 00655   468   NtQueryValueKey  (-2147482184,  (-2147482184, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   468   NtClose  (-2147482184, ... ) == 0x0
 00657   468   NtClose  (-2147482196, ... ) == 0x0
 00647   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00658   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00660   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00661   468   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9b0000), 0x0, 593920, ) == 0x0
 00662   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   468   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00664   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1505, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 468, 1505, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 468, 1505, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\242\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00666   468   NtClose  (72, ... ) == 0x0
 00667   468   NtClose  (76, ... ) == 0x0
 00668   468   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00669   468   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00670   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00671   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00673   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00674   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00676   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00677   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00678   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00679   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00680   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00681   468   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00682   468   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00683   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00684   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 88, ) }, ... 88, ) == 0x0
 00685   468   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00686   468   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00687   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00688   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00689   468   NtTestAlert  (... ) == 0x0
 00690   468   NtContinue  (1244464, 1, ...
 00691   468   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x404118,}, 4, ... ) == 0x0
 00692   468   NtQueryPerformanceCounter  (... {105932650, 0}, {3579545, 0}, ) == 0x0
 00693   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00694   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10158080, 65536, ) == 0x0
 00695   468   NtAllocateVirtualMemory  (-1, 10158080, 0, 4096, 4096, 4, ... 10158080, 4096, ) == 0x0
 00696   468   NtAllocateVirtualMemory  (-1, 10162176, 0, 8192, 4096, 4, ... 10162176, 8192, ) == 0x0
 00697   468   NtAllocateVirtualMemory  (-1, 10170368, 0, 4096, 4096, 4, ... 10170368, 4096, ) == 0x0
 00698   468   NtAllocateVirtualMemory  (-1, 10174464, 0, 4096, 4096, 4, ... 10174464, 4096, ) == 0x0
 00699   468   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10223616, 4096, ) == 0x0
 00700   468   NtProtectVirtualMemory  (-1, (0x9c0000), 6, 64, ...
 00701   468   NtContinue  (-133693652, 0, ...
 00700   468   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00702   468   NtFreeVirtualMemory  (-1, (0x9c0000), 0, 32768, ... (0x9c0000), 4096, ) == 0x0
 00703   468   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00704   468   NtDeleteValueKey  (100,  (100, "Z", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   468   NtClose  (100, ... ) == 0x0
 00706   468   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241352,  (0x40100080, {24, 0, 0x42, 0, 1241352, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00707   468   NtClose  (-2147482196, ... ) == 0x0
 00706   468   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00708   468   NtQueryVolumeInformationFile  (100, 1241456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00709   468   NtAllocateVirtualMemory  (-1, 10178560, 0, 8192, 4096, 4, ... 10178560, 8192, ) == 0x0
 00710   468   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00711   468   NtClose  (100, ... ) == 0x0
 00712   468   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235052, ... ) }, 1235052, ... ) == 0x0
 00714   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00715   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00716   468   NtClose  (100, ... ) == 0x0
 00717   468   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 262144, ) == 0x0
 00718   468   NtClose  (104, ... ) == 0x0
 00719   468   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 00720   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00721   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00722   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00723   468   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00724   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 104, {status=0x0, info=0}, ) }, 7, 16, ... 104, {status=0x0, info=0}, ) == 0x0
 00725   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;g\12\352\301\1F\2576\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00726   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00727   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00728   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00729   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00730   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00731   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00732   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00733   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00734   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "\3207.\363\211\205\205\241pR\240^\303\210\257\341\303A^\235\365Lr+\10\260\33\371\245;\1h\3169\207\264\323\215t\370\333\37\6\2028\211\36)?'m\362\262\240\223w\33\231\252\356\342\355i3\237\306p\222b\225\15\323\313S\366\341w\376\300\311", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "\3207.\363\211\205\205\241pR\240^\303\210\257\341\303A^\235\365Lr+\10\260\33\371\245;\1h\3169\207\264\323\215t\370\333\37\6\2028\211\36)?'m\362\262\240\223w\33\231\252\356\342\355i3\237\306p\222b\225\15\323\313S\366\341w\376\300\311", 80, ... ) , 80, ... ) == 0x0
 00735   468   NtClose  (-2147482196, ... ) == 0x0
 00725   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "u\323\242\13\222\267j\315\272B~P\320\303\17\375.=\233\233\200\266T\265^r0yj{9\203\306X\13\272\3147\221Z\304\326=~\21\320J\35)\367\360.H\356\356\334\353\377X\16\22\212\361E\276_2\365\206\315\373\7\314}\244\330%}6V\307rb\341P+\274\24\237\324\16\272\222\15\276\253@\4\36\357\272[\241\215\311\33\7aO\206e'J\11$\\361h\336\0!y\2636|\373\274\245\376\245@2\367:\362\321\13\351-\314Z\212\341\361\22L\215\243\247'\321%T\373\212\34\353(\215\247\373\314\247\371\356w\334\332(s\212\236M\323.(W\26\200\260c\0M\252\217\325\205>\16Xp\217\37\274\232M\314\226\307\212g\364\272@K\221\10\222d\253?\240x\27@\25\314R\4\321\371\254{\11\254\363\340\25\216+]Q7\336\232\276\306\270\200C\322<\201 \375\217\211U(](\3541\226\271)", ) , ) == 0x0
 00736   468   NtAllocateVirtualMemory  (-1, 1429504, 0, 16384, 4096, 4, ... 1429504, 16384, ) == 0x0
 00737   468   NtUserRegisterClassExWOW  (1237136, 1237216, 1237200, 1237232, 0, 384, 0, ... ) == 0x810cc038
 00738   468   NtUserGetAtomName  (49208, 1235900, ... ) == 0x15
 00739   468   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00740   468   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00741   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233424, ... ) }, 1233424, ... ) == 0x0
 00742   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00743   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00744   468   NtClose  (100, ... ) == 0x0
 00745   468   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9c0000), 0x0, 204800, ) == 0x0
 00746   468   NtClose  (108, ... ) == 0x0
 00747   468   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 00748   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 00749   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00750   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00751   468   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00752   468   NtClose  (108, ... ) == 0x0
 00753   468   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00754   468   NtClose  (100, ... ) == 0x0
 00755   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00756   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00757   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00758   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00759   468   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00760   468   NtClose  (100, ... ) == 0x0
 00761   468   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00762   468   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 00763   468   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   468   NtClose  (108, ... ) == 0x0
 00765   468   NtClose  (100, ... ) == 0x0
 00766   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00767   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00768   468   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00769   468   NtClose  (100, ... ) == 0x0
 00770   468   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00771   468   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00772   468   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   468   NtClose  (108, ... ) == 0x0
 00774   468   NtClose  (100, ... ) == 0x0
 00775   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == 0x0
 00778   468   NtUserGetProcessWindowStation  (... ) == 0x28
 00779   468   NtUserGetObjectInformation  (40, 2, 0, 0, 1235536, ... ) == 0x0
 00780   468   NtUserGetObjectInformation  (40, 2, 1441872, 16, 1235536, ... ) == 0x1
 00781   468   NtUserGetGUIThreadInfo  (468, 1235492, ... ) == 0x1
 00782   468   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 00783   468   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 468, 1552, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1552, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00784   468   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1553, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 468, 1553, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1553, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00785   468   NtUserCallNoParam  (29, ...
 00786   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232784, ... ) }, 1232784, ... ) == 0x0
 00785   468   NtUserCallNoParam  ... ) == 0x0
 00787   468   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00788   468   NtGdiHfontCreate  (1234864, 356, 0, 0, 1413832, ... ) == 0x120a0381
 00789   468   NtGdiHfontCreate  (1234864, 356, 0, 0, 1413824, ... ) == 0xd0a03f1
 00790   468   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1554, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 468, 1554, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 468, 1554, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00791   468   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9c0000), {0, 0}, 331776, ) == 0x0
 00792   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00793   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00794   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00795   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00796   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00797   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00798   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00799   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00800   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00801   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00802   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00803   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00804   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00805   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00806   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00807   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00808   468   NtUserGetWindowDC  (0, ... ) == 0x1010053
 00809   468   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x81003f9
 00810   468   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00811   468   NtUserCallNoParam  (29, ...
 00812   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232228, ... ) }, 1232228, ... ) == 0x0
 00811   468   NtUserCallNoParam  ... ) == 0x0
 00813   468   NtUserCallNoParam  (29, ...
 00814   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232224, ... ) }, 1232224, ... ) == 0x0
 00813   468   NtUserCallNoParam  ... ) == 0x0
 00815   468   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12db68, 0, 670, 0, ... ) == 0x1
 00816   468   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12db90, 0, 670, 0, ... ) == 0x0
 00817   468   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00739   468   NtUserCreateWindowEx  ... ) == 0x200b2
 00818   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204\17\340h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00819   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00820   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00821   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00822   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00823   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00824   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00825   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00826   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00827   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "&l\246-\346(x\304\216\210\266W\3118\1S|\362\322\255\375d,\365\230\207\305\20c\307&\336\332\341q\257\236\265\243\247\355`\304A\265\246kv\6\@IjF\3149a5W\241@\202\22\36\252'%L\236R(]\374\377\327\330|\373\3643", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "&l\246-\346(x\304\216\210\266W\3118\1S|\362\322\255\375d,\365\230\207\305\20c\307&\336\332\341q\257\236\265\243\247\355`\304A\265\246kv\6\@IjF\3149a5W\241@\202\22\36\252'%L\236R(]\374\377\327\330|\373\3643", 80, ... ) , 80, ... ) == 0x0
 00828   468   NtClose  (-2147482196, ... ) == 0x0
 00818   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\356\305\331:\323\236!|\310\\240\206\360.'V\340!\262\37l\352\317V\213\277t\232\246\26r3g\237F\337\327Q\372=\24@\303e\313\36\375\2244\260H\334W\221\363>c\216\370\230\310\327\16\335\321\3203}\307\224|s\350\315\274\307r'\274\5J5\260\235<\35\17z\7'9\301\311f\256qLoS/8\35\213\253\34j\202\377t\265\324\231\125\323\233\30\260\22\276Q\354A\362]\365\364c\23I 0\336\335\371t\354\250\36\274\333\333A\312m\372\316\377\343\314\2L\253%b\226\200$|\27\372\337\335\207\35\337, ) , ) == 0x0
 00829   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00830   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00831   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00832   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00833   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00834   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00835   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00836   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00837   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00838   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "\\362\272=\216\272\337oT\267\202)\321Y\204R\354:);\324\322\14\17\371\236\33\305\320\235D[\376\27\342\241{\35\200sF\272\226F\257m\2366\274\214\224?\231\250\373\237bk\370'\374T\14\245\360:g{G\240\272P\4\276V\32X\232\313q", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "\\362\272=\216\272\337oT\267\202)\321Y\204R\354:);\324\322\14\17\371\236\33\305\320\235D[\376\27\342\241{\35\200sF\272\226F\257m\2366\274\214\224?\231\250\373\237bk\370'\374T\14\245\360:g{G\240\272P\4\276V\32X\232\313q", 80, ... ) , 80, ... ) == 0x0
 00839   468   NtClose  (-2147482196, ... ) == 0x0
 00829   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\3715\254|(\7\370\3021\30\276\30-w\177T/\12\374\3411\306|\37\332\254q:\225\347E\25\236\271h\367\344\371]\303\355J\235 \264\274\226\34\221\312\367l\5$\371@\237\e}Gq\23g\337G\302\200\207\230\201A@\347\310"r\206x\335uI&Y\337\252\254\333\253\354t\307\337.\3745\342\235\325\203\26\314[Cs\273^eE\200`&\326t\363\221\209\5\250o\257\321\333\32\340<\14\177\364\316C\325\251\373\344\257\33xh:\36\260\270\21{]\32\34\257\303\376\374\25585\377\242\370\330\31PW\21\203\305\336J'\2713\277\310\337\116g\271d\233\260\210\260\274\25c\317\317\30Q\321\17;0\346\341\317\253\216F\366\207\217\362=\230\2004\236\332 \201\343\232L\327\246\254!&\200\6'y\214\202\236\232q\203\201E\273\15\243\330\340\5\210\226m\7\301: Q9M!0\177\202\37_\322p", ) r\206x\335uI&Y\337\252\254\333\253\354t\307\337.\3745\342\235\325\203\26\314[Cs\273^eE\200`&\326t\363\221\209\5\250o\257\321\333\32\340<\14\177\364\316C\325\251\373\344\257\33xh:\36\260\270\21{]\32\34\257\303\376\374\25585\377\242\370\330\31PW\21\203\305\336J'\2713\277\310\337\116g\271d\233\260\210\260\274\25c\317\317\30Q\321\17;0\346\341\317\253\216F\366\207\217\362=\230\2004\236\332 \201\343\232L\327\246\254!&\200\6'y\214\202\236\232q\203\201E\273\15\243\330\340\5\210\226m\7\301: Q9M!0\177\202\37_\322p", ) == 0x0
 00840   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031O1\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00841   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00842   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00843   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00844   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00845   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00846   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00847   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00848   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00849   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "*\271\275\265\327\236x.\336\230_<\364\236\227\24\332\36Kv\274C9\270\314\223\347;X\300\266\\12^\255\226=\257\310\377\250\127s\362\260]'\2458~{oHy\177F\202\225I\274\234\312"\230U\326\212+Y^\11\330\347t\353\251`{c", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "*\271\275\265\327\236x.\336\230_<\364\236\227\24\332\36Kv\274C9\270\314\223\347;X\300\266\\12^\255\226=\257\310\377\250\127s\362\260]'\2458~{oHy\177F\202\225I\274\234\312"\230U\326\212+Y^\11\330\347t\353\251`{c", 80, ... ) \230U\326\212+Y^\11\330\347t\353\251`{c", 80, ... ) == 0x0
 00850   468   NtClose  (-2147482196, ... ) == 0x0
 00840   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\354H\344H&\243\360\366\224\343\257>:%\272\24\207\374\342\310v[\2558S\346\213-\25v\2).'jv\261]\34\216^\337\314DG`\257e\232\263\250\23\4\227\221\313\26\326\360\367M\231<\213\265-+x\12\233\265\254\317G\241/\30}\221\20R\14\305>\260#\375vtB\236jId\266\332\\232d\204\227E\370\211\1\237k\362yG\200\33\346\307|\345 G\326\263\272\214\1\267\377\347I\320\6l\227RpAqE\355s\375\241\225\263\202g\0\13\326\237\217*\247\265~~\273W\320\255T\230O\27*$wOq\34\271\202\250\217[i\353\2641\370\352+\34J\242Z\301ko\35\347\255\16\262\201\311\261\23\31\35\322\261\225y\23\360\345+\341\362\242\217\370\244u.KH\310(6\25\366\337\255\300 {6\247\20\222\224\215g\253_\2\224\336ih\257,\271G\10D\261u\223\217Og\326\371", ) , ) == 0x0
 00851   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031O1\374:y\2031O1\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00852   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00853   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00854   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00855   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00856   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00857   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00858   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00859   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00860   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "\264\6W\223w\354\267,\323en7\254}6Hs\341I\220z(s\222\363\24\377i7=\324$\200\257\314\202/\224Lg\\250\253\26\314\201\332\246\362\346\275\266\271SQ\375&]\377\342G\262a\243\331\355\255", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "\264\6W\223w\354\267,\323en7\254}6Hs\341I\220z(s\222\363\24\377i7=\324$\200\257\314\202/\224Lg\\250\253\26\314\201\332\246\362\346\275\266\271SQ\375&]\377\342G\262a\243\331\355\255", 80, ... ) \200\257\314\202/\224Lg\\250\253\26\314\201\332\246\362\346\275\266\271SQ\375&]\377\342G\262a\243\331\355\255", 80, ... ) == 0x0
 00861   468   NtClose  (-2147482196, ... ) == 0x0
 00851   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\225\305\267N\204\213\\267"\354I4\324\260\22\\15Ye\253g\310l\257\326tv\277\256\201\325S%\353f\363\243A\220-\230\\377B\270\376G$\377\306\2043\204\350\24\260\33-$=\12\256\26\10\365y_{$o\331\347\364\218\277q\220\14\377\362\223\311T\357\370-tX&j\10\336T\2311\375\277\25\201\212\374\235]\334\244\367\215\365\327\355\305\364z\177\32\34\373\4\301\201\241\351Dy\310\266\316n\370'\317\266\317\346%\270y\354X\222\344\225\4\250\220\243\350\307z\232\355\326K~\202R\205_\314\201\3661\220\24660\373+\21\205\330\334\25\312\247\325Sq\0D\3\327\3301.\374zg\256o\320\360V$\33\221\32a*\344\31CZ\20\203\253\244\3650\235f\305\215UA!\11\\247\323\207\310\344l\202\310\23]\220 \17x`\225&$]\265\10n\242\265\31\341\341R\351\14\335\210\200\252\202\266", ) \354I4\324\260\22\\15Ye\253g\310l\257\326tv\277\256\201\325S%\353f\363\243A\220-\230\\377B\270\376G$\377\306\2043\204\350\24\260\33-$=\12\256\26\10\365y_{$o\331\347\364\218\277q\220\14\377\362\223\311T\357\370-tX&j\10\336T\2311\375\277\25\201\212\374\235]\334\244\367\215\365\327\355\305\364z\177\32\34\373\4\301\201\241\351Dy\310\266\316n\370'\317\266\317\346%\270y\354X\222\344\225\4\250\220\243\350\307z\232\355\326K~\202R\205_\314\201\3661\220\24660\373+\21\205\330\334\25\312\247\325Sq\0D\3\327\3301.\374zg\256o\320\360V$\33\221\32a*\344\31CZ\20\203\253\244\3650\235f\305\215UA!\11\\247\323\207\310\344l\202\310\23]\220 \17x`\225&$]\265\10n\242\265\31\341\341R\351\14\335\210\200\252\202\266", ) == 0x0
 00862   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00863   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00864   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00865   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00866   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00867   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00868   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00869   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00870   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00871   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "*i\234_\255\230t\200u\220f%/g\310@\346\2139\15\204\205G4\32\21`\243\305\367\327@\245E_\332C\237\250\225gs\215r\21\362\355\234h\31\17G\244\26)1\31\13\255_`z\337^R\342\313MaM\212L\201/\3735\256-\24\273", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "*i\234_\255\230t\200u\220f%/g\310@\346\2139\15\204\205G4\32\21`\243\305\367\327@\245E_\332C\237\250\225gs\215r\21\362\355\234h\31\17G\244\26)1\31\13\255_`z\337^R\342\313MaM\212L\201/\3735\256-\24\273", 80, ... ) , 80, ... ) == 0x0
 00872   468   NtClose  (-2147482196, ... ) == 0x0
 00862   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\302%$\315\13\341^\241\221\341a~J\243O\317)yT\265\370/F\341\3\217\343\301\20T\25Q\230\265Y\205\347a\242\262\307\236\352q\12\201\26A4\337\1B\33\34<\267\346\27\26\323\211\30b\302y\14/\334\311\312\206\273\374\221<\321\31\33\374$\361\330h\266\317\307\30\224e\313;y\260)\272\306\215\205]\361\224\225t\15`{\261\314\231\17\0\371\301\225GK=q)e\276J\205\217\3377\300\200,1_\340^\35\332u*\240\322F'\227\221\360\300\274/:h\275/\16\5\363\217\1\312\236\277\0<\32|G\265g\356\225+b\243!\200\250\13\206L\14z~\350\330~k\272\202\347\341\267\225\36n?\344\3177A\312\213{\211\252\362\326\216&P*\22456+X9\0\325\376\220c\317\317\326\242\302\221~\313\271\31\374\323:JQr=\224*+\365<\3\366[\270\231\254P~\324;~&/\12", ) , ) == 0x0
 00873   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00874   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00875   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00876   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00877   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00878   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00879   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00880   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00881   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00882   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "\301T\207\270I\7\5\231\211E\244\360\375\253\3724S>\254/\323\223\272\14\252\215\255\323\205\213_4\365\213j\304\373n\301Z\345\377\203\2436L\223\13F_\370\362\200\3103\233\242\221.\307(\327\353!\205\224\12i\303\34\335\341G\325p\264BN\344\315", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "\301T\207\270I\7\5\231\211E\244\360\375\253\3724S>\254/\323\223\272\14\252\215\255\323\205\213_4\365\213j\304\373n\301Z\345\377\203\2436L\223\13F_\370\362\200\3103\233\242\221.\307(\327\353!\205\224\12i\303\34\335\341G\325p\264BN\344\315", 80, ... ) , 80, ... ) == 0x0
 00883   468   NtClose  (-2147482196, ... ) == 0x0
 00873   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "C\35\376.\33\267H\232\272\302\227\6\363\371\11\243\244\250\261\370J\213_\202\212-\232\210\260MV\277\357>\250_\365\31!\210*\244\221\274r\241\346S\274\25\37\363fq\232X(T\216\277\128\7\230\250F\13\320*\267\237c\357H8\212\311\333\2116\210"\234\35\202\205\221\330[.\6"\360Q\3363\356\201\256\31\3\270\333,)1\325\364y\11\247\210ZS\312\364\326\33\210\210\23\23i\376\37\217\357L?Vu\33\250\315\257\3124\11\370r\276]\4\36\352"\235(\6\315i%\371\272\302"\346\217F\335\20\25\271\240Y\322\314\322\7i\271-\15H\22S\255o*\301\21\243\275\310\361<\326\235\364\312\263\303\24Z\364\242\32\243.z?j\246p\37\221'2\2329s\246\3606\210\212\11,\311Px\310\A/]<\352\3\313i8\32s?\301\357\371-G\261\15\374\300FM\267\22\302\225\267\307 \331\215\226", ) \234\35\202\205\221\330[.\6 ... {status=0x0, info=256}, "C\35\376.\33\267H\232\272\302\227\6\363\371\11\243\244\250\261\370J\213_\202\212-\232\210\260MV\277\357>\250_\365\31!\210*\244\221\274r\241\346S\274\25\37\363fq\232X(T\216\277\128\7\230\250F\13\320*\267\237c\357H8\212\311\333\2116\210"\234\35\202\205\221\330[.\6"\360Q\3363\356\201\256\31\3\270\333,)1\325\364y\11\247\210ZS\312\364\326\33\210\210\23\23i\376\37\217\357L?Vu\33\250\315\257\3124\11\370r\276]\4\36\352"\235(\6\315i%\371\272\302"\346\217F\335\20\25\271\240Y\322\314\322\7i\271-\15H\22S\255o*\301\21\243\275\310\361<\326\235\364\312\263\303\24Z\364\242\32\243.z?j\246p\37\221'2\2329s\246\3606\210\212\11,\311Px\310\A/]<\352\3\313i8\32s?\301\357\371-G\261\15\374\300FM\267\22\302\225\267\307 \331\215\226", ) \235(\6\315i%\371\272\302 ... {status=0x0, info=256}, "C\35\376.\33\267H\232\272\302\227\6\363\371\11\243\244\250\261\370J\213_\202\212-\232\210\260MV\277\357>\250_\365\31!\210*\244\221\274r\241\346S\274\25\37\363fq\232X(T\216\277\128\7\230\250F\13\320*\267\237c\357H8\212\311\333\2116\210"\234\35\202\205\221\330[.\6"\360Q\3363\356\201\256\31\3\270\333,)1\325\364y\11\247\210ZS\312\364\326\33\210\210\23\23i\376\37\217\357L?Vu\33\250\315\257\3124\11\370r\276]\4\36\352"\235(\6\315i%\371\272\302"\346\217F\335\20\25\271\240Y\322\314\322\7i\271-\15H\22S\255o*\301\21\243\275\310\361<\326\235\364\312\263\303\24Z\364\242\32\243.z?j\246p\37\221'2\2329s\246\3606\210\212\11,\311Px\310\A/]<\352\3\313i8\32s?\301\357\371-G\261\15\374\300FM\267\22\302\225\267\307 \331\215\226", ) , ) == 0x0
 00884   468   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\222\374\340\5\264\233;=\235~\313\252f\204Uw\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031O1\374:y\2031\25\246h0\322\243\32,\332\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00885   468   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00886   468   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00887   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00888   468   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00889   468   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00890   468   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00891   468   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00892   468   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482196, 2, ) }, 0, 0x0, 0, ... -2147482196, 2, ) == 0x0
 00893   468   NtSetValueKey  (-2147482196,  (-2147482196, "Seed", 0, 3, "ph\202s\233\222\222\357\20_\275H!\364H*\15\221\353r%\256\155a\11'MZM\325\254?va5B\364<0\264\217|Aq\202P\352I\251\205`\306\322\16![\310\364S\27\1\216\352[F*G\256&H\306\202W\14\307G\272\231\361", 80, ... ) , 0, 3,  (-2147482196, "Seed", 0, 3, "ph\202s\233\222\222\357\20_\275H!\364H*\15\221\353r%\256\155a\11'MZM\325\254?va5B\364<0\264\217|Aq\202P\352I\251\205`\306\322\16![\310\364S\27\1\216\352[F*G\256&H\306\202W\14\307G\272\231\361", 80, ... ) , 80, ... ) == 0x0
 00894   468   NtClose  (-2147482196, ... ) == 0x0
 00884   468   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "i\352\20\355\30\317\323Wo\11\252a\225\27[\237\211\305\232b\327K4Q\201\261q\204\13\4\306_\236\20\356\24\357:\356\202\236[\237"\355z9\26j\315\337d\263k\356aEO\11\244\222v:u\331\3605+\327\371A\241Z\373\216\5\246\335.\220\31\35Y\34\323'\205IF\3\360\313\301+\367`\353\344\227<1\211\277\265\244\371\25I}O\367\6xkD\210\226,\5\313sn\243\376Q \36\305\205F\337\230\370\337\244\334>^:\341_;rY\217)L,\364\236#x\13\24\22J\332yj\370\361\227\10\351\255\315f\212\255h\335\2538Rw\30ss\300(\361\371\352\367\265\251\357\231\274'\322g\313\376\344\13/:\341\223\341\317.\217(5^\177\334\222\20\16\337\253q \376\211\322\350#u\354\355\33r\48\34\251N\14\230R\234\322\312\310f4\22\223pq/\301\377e0.\357\212\200\242R", ) \355z9\26j\315\337d\263k\356aEO\11\244\222v:u\331\3605+\327\371A\241Z\373\216\5\246\335.\220\31\35Y\34\323'\205IF\3\360\313\301+\367`\353\344\227<1\211\277\265\244\371\25I}O\367\6xkD\210\226,\5\313sn\243\376Q \36\305\205F\337\230\370\337\244\334>^:\341_;rY\217)L,\364\236#x\13\24\22J\332yj\370\361\227\10\351\255\315f\212\255h\335\2538Rw\30ss\300(\361\371\352\367\265\251\357\231\274'\322g\313\376\344\13/:\341\223\341\317.\217(5^\177\334\222\20\16\337\253q \376\211\322\350#u\354\355\33r\48\34\251N\14\230R\234\322\312\310f4\22\223pq/\301\377e0.\357\212\200\242R", ) == 0x0
 00895   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 112, ) }, ... 112, ) == 0x0
 00896   468   NtQueryValueKey  (112,  (112, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 00898   468   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   468   NtClose  (116, ... ) == 0x0
 00900   468   NtClose  (112, ... ) == 0x0
 00901   468   NtAllocateVirtualMemory  (-1, 1445888, 0, 24576, 4096, 4, ... 1445888, 24576, ) == 0x0
 00902   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == 0x0
 00906   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00907   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00908   468   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   468   NtClose  (112, ... ) == 0x0
 00910   468   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00911   468   NtClose  (116, ... ) == 0x0
 00912   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00915   468   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   468   NtClose  (116, ... ) == 0x0
 00917   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00919   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00920   468   NtQuerySystemTime  (... {865889110, 29870590}, ) == 0x0
 00921   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00922   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00924   468   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00925   468   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00926   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00927   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00928   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00929   468   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00930   468   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00931   468   NtClose  (136, ... ) == 0x0
 00932   468   NtClose  (132, ... ) == 0x0
 00933   468   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00934   468   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00935   468   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00936   468   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 00937   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00938   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00939   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00940   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00941   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235664,  (0xc0100080, {24, 0, 0x40, 0, 1235664, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00942   468   NtSetInformationFile  (148, 1235720, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00943   468   NtSetInformationFile  (148, 1235712, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00944   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00945   468   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00946   468   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00947   468   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20y$\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00948   468   NtClose  (144, ... ) == 0x0
 00949   468   NtClose  (148, ... ) == 0x0
 00950   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235708, ... ) }, 1235708, ... ) == 0x0
 00951   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00952   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00953   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 00954   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00955   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00956   468   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 00957   468   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00958   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00959   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00960   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00962   468   NtQueryValueKey  (144,  (144, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   468   NtClose  (144, ... ) == 0x0
 00964   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00965   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00966   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00968   468   NtQueryValueKey  (144,  (144, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   468   NtClose  (144, ... ) == 0x0
 00970   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00971   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00972   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00974   468   NtQueryValueKey  (144,  (144, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   468   NtClose  (144, ... ) == 0x0
 00976   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00977   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00978   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00980   468   NtQueryValueKey  (144,  (144, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   468   NtClose  (144, ... ) == 0x0
 00982   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00984   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00985   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00987   468   NtQueryValueKey  (144,  (144, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   468   NtClose  (144, ... ) == 0x0
 00989   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00990   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00991   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00993   468   NtQueryValueKey  (144,  (144, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   468   NtClose  (144, ... ) == 0x0
 00995   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00996   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 00997   468   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00998   468   NtClose  (144, ... ) == 0x0
 00999   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01000   468   NtSetInformationObject  (146, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01001   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01002   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 152, ) }, ... 152, ) == 0x0
 01004   468   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01005   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01006   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01007   468   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01008   468   NtClose  (156, ... ) == 0x0
 01009   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   468   NtQueryValueKey  (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01011   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233436, ... ) }, 1233436, ... ) == 0x0
 01012   468   NtClose  (154, ... ) == 0x0
 01013   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01014   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 152, ) }, ... 152, ) == 0x0
 01016   468   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 01017   468   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01018   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01019   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01020   468   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01021   468   NtClose  (156, ... ) == 0x0
 01022   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   468   NtEnumerateKey  (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01024   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01025   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 156, ) }, ... 156, ) == 0x0
 01027   468   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01028   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01029   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01030   468   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01031   468   NtClose  (160, ... ) == 0x0
 01032   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   468   NtQueryValueKey  (158,  (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01034   468   NtClose  (158, ... ) == 0x0
 01035   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01036   468   NtEnumerateKey  (154, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01037   468   NtClose  (154, ... ) == 0x0
 01038   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01039   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01040   468   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 156, ) }, ... 156, ) == 0x0
 01041   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01043   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01045   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 160, ) }, ... 160, ) == 0x0
 01047   468   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01048   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01049   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01050   468   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01051   468   NtClose  (164, ... ) == 0x0
 01052   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   468   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01054   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01055   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 164, ) }, ... 164, ) == 0x0
 01057   468   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01058   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01059   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01060   468   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01061   468   NtClose  (168, ... ) == 0x0
 01062   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   468   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   468   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01065   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01066   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01067   468   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01068   468   NtClose  (168, ... ) == 0x0
 01069   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   468   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 01071   468   NtClose  (166, ... ) == 0x0
 01072   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01073   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01074   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01076   468   NtQueryValueKey  (164,  (164, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   468   NtClose  (164, ... ) == 0x0
 01078   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01079   468   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01080   468   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01081   468   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01082   468   NtClose  (164, ... ) == 0x0
 01083   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01084   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01085   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01087   468   NtQueryValueKey  (164,  (164, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   468   NtClose  (164, ... ) == 0x0
 01089   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01090   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01091   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01093   468   NtQueryValueKey  (164,  (164, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   468   NtClose  (164, ... ) == 0x0
 01095   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01096   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01097   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01099   468   NtQueryValueKey  (164,  (164, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   468   NtClose  (164, ... ) == 0x0
 01101   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01102   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01103   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01105   468   NtQueryValueKey  (164,  (164, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   468   NtClose  (164, ... ) == 0x0
 01107   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01108   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01109   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01110   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01111   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01113   468   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   468   NtClose  (164, ... ) == 0x0
 01115   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01116   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01117   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01119   468   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   468   NtClose  (164, ... ) == 0x0
 01121   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01122   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01123   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01125   468   NtQueryValueKey  (164,  (164, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   468   NtClose  (164, ... ) == 0x0
 01127   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01128   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01129   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01130   468   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 164, ) }, ... 164, ) == 0x0
 01131   468   NtQueryValueKey  (164,  (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01132   468   NtQueryValueKey  (164,  (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01133   468   NtQueryValueKey  (164,  (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01134   468   NtQueryValueKey  (164,  (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   468   NtQueryValueKey  (164,  (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   468   NtQueryValueKey  (164,  (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01137   468   NtQueryValueKey  (164,  (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01139   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01140   468   NtQueryValueKey  (164,  (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01141   468   NtQueryValueKey  (164,  (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   468   NtQueryValueKey  (164,  (164, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   468   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   468   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   468   NtClose  (164, ... ) == 0x0
 01146   468   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01147   468   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01148   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01149   468   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01150   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01152   468   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   468   NtClose  (172, ... ) == 0x0
 01154   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   468   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01157   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01160   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 172, ) }, ... 172, ) == 0x0
 01162   468   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01163   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01164   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01165   468   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01166   468   NtClose  (176, ... ) == 0x0
 01167   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   468   NtQueryValueKey  (174,  (174, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   468   NtClose  (174, ... ) == 0x0
 01170   468   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01171   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01172   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01173   468   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01174   468   NtClose  (172, ... ) == 0x0
 01175   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   468   NtQueryValueKey  (170,  (170, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   468   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01178   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01179   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01180   468   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01181   468   NtClose  (172, ... ) == 0x0
 01182   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   468   NtQueryValueKey  (170,  (170, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   468   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01185   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01186   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01187   468   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01188   468   NtClose  (172, ... ) == 0x0
 01189   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   468   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01192   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 172, ) }, ... 172, ) == 0x0
 01194   468   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01195   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01196   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01197   468   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   468   NtClose  (176, ... ) == 0x0
 01199   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   468   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   468   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01202   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01203   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01204   468   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01205   468   NtClose  (176, ... ) == 0x0
 01206   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   468   NtQueryValueKey  (170,  (170, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   468   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01209   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01211   468   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   468   NtClose  (176, ... ) == 0x0
 01213   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   468   NtQueryValueKey  (170,  (170, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   468   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01216   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01217   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01218   468   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01219   468   NtClose  (176, ... ) == 0x0
 01220   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   468   NtQueryValueKey  (170,  (170, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   468   NtClose  (162, ... ) == 0x0
 01223   468   NtClose  (170, ... ) == 0x0
 01224   468   NtClose  (174, ... ) == 0x0
 01225   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01226   468   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1474840, 0,  (0x1f0003, {24, 52, 0x80, 1474840, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01227   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01228   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01229   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01230   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01231   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01232   468   NtQueryValueKey  (168,  (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01233   468   NtClose  (168, ... ) == 0x0
 01234   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01235   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01236   468   NtSetValueKey  (168,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01237   468   NtClose  (168, ... ) == 0x0
 01238   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01239   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01240   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 160, ) == 0x0
 01241   468   NtClose  (168, ... ) == 0x0
 01242   468   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01243   468   NtClose  (160, ... ) == 0x0
 01244   468   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01245   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01246   468   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == 0x0
 01251   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01252   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 168, ) == 0x0
 01253   468   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01254   468   NtClose  (160, ... ) == 0x0
 01255   468   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01256   468   NtClose  (168, ... ) == 0x0
 01257   468   NtAllocateVirtualMemory  (-1, 8863744, 0, 4096, 4096, 4, ... 8863744, 4096, ) == 0x0
 01258   468   NtQueryDefaultLocale  (1, 1233480, ... ) == 0x0
 01259   468   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01260   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01261   468   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01262   468   NtClose  (168, ... ) == 0x0
 01263   468   NtUserGetProcessWindowStation  (... ) == 0x28
 01264   468   NtUserGetObjectInformation  (40, 1, 1233152, 12, 1233164, ... ) == 0x1
 01265   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 168, ) }, ... 168, ) == 0x0
 01266   468   NtQueryValueKey  (168,  (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01267   468   NtClose  (168, ... ) == 0x0
 01268   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01269   468   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01270   468   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01271   468   NtClose  (168, ... ) == 0x0
 01272   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01273   468   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01274   468   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01275   468   NtClose  (168, ... ) == 0x0
 01276   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01277   468   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01278   468   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01279   468   NtClose  (168, ... ) == 0x0
 01280   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01281   468   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01282   468   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01283   468   NtClose  (168, ... ) == 0x0
 01284   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01285   468   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01286   468   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01287   468   NtClose  (168, ... ) == 0x0
 01288   468   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 01289   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 168, ) }, ... 168, ) == 0x0
 01290   468   NtQueryValueKey  (168,  (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01291   468   NtClose  (168, ... ) == 0x0
 01292   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01293   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 160, ) == 0x0
 01294   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01295   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 180, ) == 0x0
 01296   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01297   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01298   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01299   468   NtQueryValueKey  (192,  (192, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   468   NtQueryValueKey  (192,  (192, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   468   NtOpenKey  (0x1, {24, 192, 0x40, 0, 0,  (0x1, {24, 192, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   468   NtClose  (192, ... ) == 0x0
 01303   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233072, ... ) }, 1233072, ... ) == 0x0
 01304   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 192, ) }, ... 192, ) == 0x0
 01305   468   NtQueryValueKey  (192,  (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01306   468   NtClose  (192, ... ) == 0x0
 01307   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01308   468   NtQueryValueKey  (192,  (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01309   468   NtClose  (192, ... ) == 0x0
 01310   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01312   468   NtQueryValueKey  (192,  (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01313   468   NtClose  (192, ... ) == 0x0
 01314   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01315   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01316   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01317   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01318   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01319   468   NtSetInformationFile  (196, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01320   468   NtSetInformationFile  (196, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01321   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01322   468   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01323   468   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01324   468   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20;!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01325   468   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01326   468   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\343\11\240m\3615\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01327   468   NtClose  (192, ... ) == 0x0
 01328   468   NtClose  (196, ... ) == 0x0
 01329   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01330   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01331   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01332   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01333   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   468   NtSetInformationFile  (192, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01335   468   NtSetInformationFile  (192, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01336   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01337   468   NtWriteFile  (192, 125, 0, 0,  (192, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01338   468   NtReadFile  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20, ) , ) == 0x0
 01339   468   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20, ) , 64, 1024, ... {status=0x103, info=68},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20, ) , ) == 0x103
 01340   468   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01341   468   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\344\11\240m\3615\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01342   468   NtClose  (196, ... ) == 0x0
 01343   468   NtClose  (192, ... ) == 0x0
 01344   468   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01345   468   NtOpenProcessToken  (-1, 0x20, ... 192, ) == 0x0
 01346   468   NtAdjustPrivilegesToken  (192, 0, 1482976, 0, 0, 0, ... ) == 0x0
 01347   468   NtClose  (192, ... ) == 0x0
 01348   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01349   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01350   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01351   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01352   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234092,  (0xc0100080, {24, 0, 0x40, 0, 1234092, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01353   468   NtSetInformationFile  (196, 1234148, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01354   468   NtSetInformationFile  (196, 1234140, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01355   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01356   468   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01357   468   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01358   468   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\336"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01359   468   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01360   468   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01361   468   NtAdjustPrivilegesToken  (200, 0, 1483056, 0, 0, 0, ... ) == 0x0
 01362   468   NtClose  (200, ... ) == 0x0
 01363   468   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01364   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01365   468   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01366   468   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01367   468   NtClose  (204, ... ) == 0x0
 01368   468   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369   468   NtClose  (200, ... ) == 0x0
 01370   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=1}, ) }, 3, 16, ... 200, {status=0x0, info=1}, ) == 0x0
 01371   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01372   468   NtClose  (200, ... ) == 0x0
 01373   468   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01374   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01375   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01376   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01377   468   NtClose  (-2147482196, ... ) == 0x0
 01375   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01378   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01379   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01380   468   NtClose  (-2147482196, ... ) == 0x0
 01378   468   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01381   468   NtClose  (200, ... ) == 0x0
 01382   468   NtAllocateVirtualMemory  (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0
 01383   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01384   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01385   468   NtClose  (200, ... ) == 0x0
 01386   468   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01387   468   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01388   468   NtClose  (204, ... ) == 0x0
 01389   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01390   468   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01391   468   NtClose  (204, ... ) == 0x0
 01392   468   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01393   468   NtClose  (200, ... ) == 0x0
 01394   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01395   468   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01396   468   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01397   468   NtClose  (204, ... ) == 0x0
 01398   468   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01399   468   NtClose  (200, ... ) == 0x0
 01400   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01401   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01402   468   NtClose  (200, ... ) == 0x0
 01403   468   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01404   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01405   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01406   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01407   468   NtClose  (-2147482196, ... ) == 0x0
 01405   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01408   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01409   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01410   468   NtClose  (-2147482196, ... ) == 0x0
 01408   468   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01411   468   NtClose  (200, ... ) == 0x0
 01412   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01413   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01414   468   NtClose  (200, ... ) == 0x0
 01415   468   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01416   468   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01417   468   NtClose  (204, ... ) == 0x0
 01418   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01419   468   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01420   468   NtClose  (204, ... ) == 0x0
 01421   468   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   468   NtClose  (200, ... ) == 0x0
 01423   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01424   468   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01425   468   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01426   468   NtClose  (204, ... ) == 0x0
 01427   468   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01428   468   NtClose  (200, ... ) == 0x0
 01429   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01430   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01431   468   NtClose  (200, ... ) == 0x0
 01432   468   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01433   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01434   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01435   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01436   468   NtClose  (-2147482196, ... ) == 0x0
 01434   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01437   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01438   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01439   468   NtClose  (-2147482196, ... ) == 0x0
 01437   468   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01440   468   NtClose  (200, ... ) == 0x0
 01441   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01442   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01443   468   NtClose  (200, ... ) == 0x0
 01444   468   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01445   468   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\270\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\270\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01446   468   NtClose  (204, ... ) == 0x0
 01447   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01448   468   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01449   468   NtClose  (204, ... ) == 0x0
 01450   468   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01451   468   NtClose  (200, ... ) == 0x0
 01452   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01453   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01454   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01455   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01456   468   NtClose  (-2147482196, ... ) == 0x0
 01454   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01457   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01458   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01459   468   NtClose  (-2147482196, ... ) == 0x0
 01457   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01460   468   NtClose  (200, ... ) == 0x0
 01461   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01462   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01463   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01464   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01465   468   NtClose  (-2147482196, ... ) == 0x0
 01463   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01466   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01467   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01468   468   NtClose  (-2147482196, ... ) == 0x0
 01466   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01469   468   NtClose  (200, ... ) == 0x0
 01470   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01471   468   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01472   468   NtClose  (200, ... ) == 0x0
 01473   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01475   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01479   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01482   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01483   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01484   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01485   468   NtClose  (-2147482196, ... ) == 0x0
 01483   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01486   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01487   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01488   468   NtClose  (-2147482196, ... ) == 0x0
 01486   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01489   468   NtClose  (200, ... ) == 0x0
 01490   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01491   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01492   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01493   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01494   468   NtClose  (-2147482196, ... ) == 0x0
 01492   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01495   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01496   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=0}, ) }, 0, 64, ... -2147482196, {status=0x0, info=0}, ) == 0x0
 01497   468   NtClose  (-2147482196, ... ) == 0x0
 01495   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01498   468   NtClose  (200, ... ) == 0x0
 01499   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01500   468   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01501   468   NtClose  (200, ... ) == 0x0
 01502   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01504   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01508   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01511   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01512   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01513   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01514   468   NtClose  (-2147482196, ... ) == 0x0
 01512   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01515   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01516   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01517   468   NtClose  (-2147482196, ... ) == 0x0
 01515   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01518   468   NtClose  (200, ... ) == 0x0
 01519   468   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01520   468   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01521   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01522   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01523   468   NtClose  (-2147482196, ... ) == 0x0
 01521   468   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01524   468   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01525   468   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482196, {status=0x0, info=1}, ) }, 0, 64, ... -2147482196, {status=0x0, info=1}, ) == 0x0
 01526   468   NtClose  (-2147482196, ... ) == 0x0
 01524   468   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01527   468   NtClose  (200, ... ) == 0x0
 01528   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01529   468   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01530   468   NtClose  (200, ... ) == 0x0
 01531   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01533   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01537   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01540   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01541   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01542   468   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 204, ) }, ... 204, ) == 0x0
 01543   468   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\F:0000000000009206", 66, ) , 66, ) == 0x0
 01544   468   NtClose  (204, ... ) == 0x0
 01545   468   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01546   468   NtClose  (200, ... ) == 0x0
 01547   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01548   468   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01549   468   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 204, ) }, ... 204, ) == 0x0
 01550   468   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\U:0000000000009206", 66, ) , 66, ) == 0x0
 01551   468   NtClose  (204, ... ) == 0x0
 01552   468   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01553   468   NtClose  (200, ... ) == 0x0
 01554   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01555   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01556   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01557   468   NtClose  (200, ... ) == 0x0
 01558   468   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   468   NtClose  (204, ... ) == 0x0
 01560   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01561   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01562   468   NtClose  (204, ... ) == 0x0
 01563   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01564   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 204, ) }, ... 204, ) == 0x0
 01566   468   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01567   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01568   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01569   468   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01570   468   NtClose  (200, ... ) == 0x0
 01571   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   468   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   468   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01574   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01575   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01576   468   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01577   468   NtClose  (200, ... ) == 0x0
 01578   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   468   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01580   468   NtClose  (206, ... ) == 0x0
 01581   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01582   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01583   468   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01584   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01585   468   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01586   468   NtAllocateVirtualMemory  (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0
 01587   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01588   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01589   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01590   468   NtClose  (204, ... ) == 0x0
 01591   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   468   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01594   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01595   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01596   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01597   468   NtClose  (204, ... ) == 0x0
 01598   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   468   NtQueryValueKey  (202,  (202, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01601   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01602   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01603   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01604   468   NtClose  (204, ... ) == 0x0
 01605   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   468   NtQueryValueKey  (202,  (202, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   468   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01608   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01610   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   468   NtClose  (204, ... ) == 0x0
 01612   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   468   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 204, ) }, ... 204, ) == 0x0
 01617   468   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01618   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01620   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   468   NtClose  (208, ... ) == 0x0
 01622   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   468   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01625   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01626   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01627   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01628   468   NtClose  (208, ... ) == 0x0
 01629   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   468   NtQueryValueKey  (202,  (202, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01632   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01633   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01634   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01635   468   NtClose  (208, ... ) == 0x0
 01636   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   468   NtQueryValueKey  (202,  (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01638   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01639   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01640   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01641   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01642   468   NtClose  (208, ... ) == 0x0
 01643   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   468   NtQueryValueKey  (202,  (202, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   468   NtClose  (202, ... ) == 0x0
 01646   468   NtClose  (206, ... ) == 0x0
 01647   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01648   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01649   468   NtClose  (204, ... ) == 0x0
 01650   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01651   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01652   468   NtClose  (204, ... ) == 0x0
 01653   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01654   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01655   468   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01656   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01657   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01658   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01659   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01660   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01661   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01662   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01663   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01664   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01665   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01666   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01667   468   NtClose  (204, ... ) == 0x0
 01668   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01669   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01670   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01671   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01672   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01673   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01674   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01675   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01676   468   NtClose  (204, ... ) == 0x0
 01677   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01678   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01679   468   NtClose  (204, ... ) == 0x0
 01680   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01683   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   468   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 01686   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01687   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01688   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01689   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01690   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01691   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01692   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01693   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01694   468   NtClose  (204, ... ) == 0x0
 01695   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01696   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01697   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01698   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01699   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01700   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01701   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01702   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01703   468   NtClose  (204, ... ) == 0x0
 01704   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01705   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01706   468   NtClose  (204, ... ) == 0x0
 01707   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01708   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01709   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 01710   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01711   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01712   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01713   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01714   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01715   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01716   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01717   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01718   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01719   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01720   468   NtClose  (204, ... ) == 0x0
 01721   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01722   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01723   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01724   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01725   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01726   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01727   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01728   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01729   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01730   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01731   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01732   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01733   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01734   468   NtClose  (204, ... ) == 0x0
 01735   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01736   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01737   468   NtClose  (204, ... ) == 0x0
 01738   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01739   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01740   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01741   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01742   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01743   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01744   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01745   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01746   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01747   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01748   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01749   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01750   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01751   468   NtClose  (204, ... ) == 0x0
 01752   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01753   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01754   468   NtClose  (204, ... ) == 0x0
 01755   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01756   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01757   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01758   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01759   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01760   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01761   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01762   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01763   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01764   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 83, 4096, 4, ... 10616832, 4096, ) == 0x0
 01765   468   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01766   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01767   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01768   468   NtClose  (204, ... ) == 0x0
 01769   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01770   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01771   468   NtClose  (204, ... ) == 0x0
 01772   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01773   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01774   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01775   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01776   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01777   468   NtQueryValueKey  (204,  (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01778   468   NtClose  (204, ... ) == 0x0
 01779   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01780   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01781   468   NtSetValueKey  (204,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01782   468   NtClose  (204, ... ) == 0x0
 01783   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01784   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01785   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01786   468   NtClose  (204, ... ) == 0x0
 01787   468   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01788   468   NtClose  (200, ... ) == 0x0
 01789   468   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01790   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01791   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01792   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01793   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01794   468   NtClose  (200, ... ) == 0x0
 01795   468   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01796   468   NtClose  (204, ... ) == 0x0
 01797   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01798   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01799   468   NtClose  (204, ... ) == 0x0
 01800   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01801   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01802   468   NtClose  (204, ... ) == 0x0
 01803   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01804   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01805   468   NtClose  (204, ... ) == 0x0
 01806   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229200, ... ) }, 1229200, ... ) == 0x0
 01809   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01810   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01811   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01812   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01813   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01814   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01815   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01816   468   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01817   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01818   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01819   468   NtClose  (204, ... ) == 0x0
 01820   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01821   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01822   468   NtClose  (204, ... ) == 0x0
 01823   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01824   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01825   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 01826   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01829   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01830   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01831   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01832   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01833   468   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01834   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01835   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01836   468   NtClose  (204, ... ) == 0x0
 01837   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01838   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01839   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01840   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01841   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01842   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01843   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01844   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01845   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01846   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01847   468   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01848   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01849   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01850   468   NtClose  (204, ... ) == 0x0
 01851   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01852   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01853   468   NtClose  (204, ... ) == 0x0
 01854   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01855   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01856   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01857   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01858   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01859   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01860   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01861   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01862   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01863   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01864   468   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01865   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01866   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01867   468   NtClose  (204, ... ) == 0x0
 01868   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01869   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01870   468   NtClose  (204, ... ) == 0x0
 01871   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01874   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   468   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01877   468   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01878   468   NtQueryInformationFile  (204, 1484128, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10616832, 1052672, ) == 0x0
 01880   468   NtAllocateVirtualMemory  (-1, 10616832, 0, 142, 4096, 4, ... 10616832, 4096, ) == 0x0
 01881   468   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01882   468   NtFreeVirtualMemory  (-1, (0xa20000), 1052672, 32768, ... (0xa20000), 1052672, ) == 0x0
 01883   468   NtUnlockFile  (204, {0, 0}, {-1, -1}, 468, ... ) == STATUS_RANGE_NOT_LOCKED
 01884   468   NtClose  (204, ... ) == 0x0
 01885   468   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01886   468   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01887   468   NtClose  (204, ... ) == 0x0
 01888   468   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 01889   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01890   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01891   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01892   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01893   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01894   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01895   468   NtQueryValueKey  (204,  (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01896   468   NtClose  (204, ... ) == 0x0
 01897   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01898   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01899   468   NtSetValueKey  (204,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01900   468   NtClose  (204, ... ) == 0x0
 01901   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01902   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01903   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01904   468   NtClose  (204, ... ) == 0x0
 01905   468   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01906   468   NtClose  (200, ... ) == 0x0
 01907   468   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01908   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01909   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01910   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01911   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01912   468   NtClose  (200, ... ) == 0x0
 01913   468   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01914   468   NtClose  (204, ... ) == 0x0
 01915   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01916   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1,  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01917   468   NtClose  (204, ... ) == 0x0
 01918   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01919   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01920   468   NtClose  (204, ... ) == 0x0
 01921   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01922   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01923   468   NtClose  (204, ... ) == 0x0
 01924   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01925   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01926   468   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01927   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01928   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01929   468   NtQueryValueKey  (204,  (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01930   468   NtClose  (204, ... ) == 0x0
 01931   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01932   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01933   468   NtSetValueKey  (204,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 01934   468   NtClose  (204, ... ) == 0x0
 01935   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01936   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01937   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01938   468   NtClose  (204, ... ) == 0x0
 01939   468   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 01940   468   NtClose  (200, ... ) == 0x0
 01941   468   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 01942   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01943   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01944   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01945   468   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01946   468   NtClose  (200, ... ) == 0x0
 01947   468   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01948   468   NtClose  (204, ... ) == 0x0
 01949   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01950   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01951   468   NtClose  (204, ... ) == 0x0
 01952   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01953   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01954   468   NtClose  (204, ... ) == 0x0
 01955   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01956   468   NtQueryDirectoryFile  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01957   468   NtClose  (204, ... ) == 0x0
 01958   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 204, ) }, ... 204, ) == 0x0
 01959   468   NtEnumerateValueKey  (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01960   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01961   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01963   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01964   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01965   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01966   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01967   468   NtClose  (208, ... ) == 0x0
 01968   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   468   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01970   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01971   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01972   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01973   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01974   468   NtClose  (208, ... ) == 0x0
 01975   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   468   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   468   NtClose  (202, ... ) == 0x0
 01978   468   NtEnumerateValueKey  (204, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01979   468   NtClose  (204, ... ) == 0x0
 01980   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01981   468   NtQueryValueKey  (204,  (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01982   468   NtClose  (204, ... ) == 0x0
 01983   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 01986   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01987   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01988   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01989   468   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01990   468   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01991   468   NtClose  (204, ... ) == 0x0
 01992   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01995   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 01997   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 01999   468   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02000   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02001   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02002   468   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02003   468   NtClose  (200, ... ) == 0x0
 02004   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   468   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02006   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02007   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 200, ) }, ... 200, ) == 0x0
 02009   468   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02010   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02012   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   468   NtClose  (208, ... ) == 0x0
 02014   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   468   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   468   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02017   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02018   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02019   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02020   468   NtClose  (208, ... ) == 0x0
 02021   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   468   NtOpenKey  (0x2000000, {24, 202, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 02023   468   NtClose  (202, ... ) == 0x0
 02024   468   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02025   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02027   468   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   468   NtClose  (200, ... ) == 0x0
 02029   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   468   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   468   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02032   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02033   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02034   468   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02035   468   NtClose  (200, ... ) == 0x0
 02036   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   468   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02039   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02042   468   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02044   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02045   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02047   468   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   468   NtClose  (212, ... ) == 0x0
 02049   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   468   NtQueryValueKey  (202,  (202, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   468   NtClose  (202, ... ) == 0x0
 02052   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02053   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 200, ) }, ... 200, ) == 0x0
 02055   468   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02056   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02057   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02058   468   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02059   468   NtClose  (212, ... ) == 0x0
 02060   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   468   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   468   NtClose  (206, ... ) == 0x0
 02063   468   NtClose  (210, ... ) == 0x0
 02064   468   NtClose  (202, ... ) == 0x0
 02065   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02066   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02068   468   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02070   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02072   468   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02073   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02075   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   468   NtClose  (208, ... ) == 0x0
 02077   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   468   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02079   468   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02080   468   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02082   468   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02083   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02085   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   468   NtClose  (204, ... ) == 0x0
 02087   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   468   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   468   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02090   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02091   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02092   468   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02093   468   NtClose  (204, ... ) == 0x0
 02094   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   468   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 02096   468   NtClose  (210, ... ) == 0x0
 02097   468   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02098   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02099   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02100   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02101   468   NtClose  (208, ... ) == 0x0
 02102   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   468   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "shell"}, ... 208, ) }, ... 208, ) == 0x0
 02104   468   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02105   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02106   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02107   468   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02108   468   NtClose  (212, ... ) == 0x0
 02109   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   468   NtQueryValueKey  (210, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   468   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02112   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02114   468   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   468   NtClose  (212, ... ) == 0x0
 02116   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   468   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "open"}, ... 212, ) }, ... 212, ) == 0x0
 02118   468   NtClose  (210, ... ) == 0x0
 02119   468   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02120   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02121   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02122   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02123   468   NtClose  (208, ... ) == 0x0
 02124   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   468   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02126   468   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02127   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02128   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02129   468   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02130   468   NtClose  (216, ... ) == 0x0
 02131   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   468   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02133   468   NtClose  (210, ... ) == 0x0
 02134   468   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   468   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02136   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02138   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   468   NtClose  (208, ... ) == 0x0
 02140   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   468   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02142   468   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02143   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02144   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02145   468   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   468   NtClose  (216, ... ) == 0x0
 02147   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   468   NtQueryValueKey  (210,  (210, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   468   NtClose  (210, ... ) == 0x0
 02150   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   468   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02152   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02153   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02154   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02155   468   NtClose  (208, ... ) == 0x0
 02156   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   468   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02158   468   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02159   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02160   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02161   468   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02162   468   NtClose  (216, ... ) == 0x0
 02163   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   468   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02165   468   NtClose  (210, ... ) == 0x0
 02166   468   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02167   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02168   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02169   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02170   468   NtClose  (208, ... ) == 0x0
 02171   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   468   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   468   NtUserGetForegroundWindow  (... ) == 0x20060
 02174   468   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02175   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02176   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02177   468   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02178   468   NtClose  (208, ... ) == 0x0
 02179   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   468   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02181   468   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02182   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02183   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02184   468   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02185   468   NtClose  (216, ... ) == 0x0
 02186   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   468   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02188   468   NtClose  (210, ... ) == 0x0
 02189   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02190   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02191   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02193   468   NtQueryValueKey  (208,  (208, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   468   NtClose  (208, ... ) == 0x0
 02195   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02196   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02197   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02199   468   NtQueryValueKey  (208,  (208, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   468   NtClose  (208, ... ) == 0x0
 02201   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   468   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02205   468   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02206   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   468   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02208   468   NtQueryValueKey  (208,  (208, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   468   NtClose  (208, ... ) == 0x0
 02210   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   468   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02212   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231308, ... ) }, 1231308, ... ) == 0x0
 02213   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02214   468   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02215   468   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02216   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 216, ) }, ... 216, ) == 0x0
 02217   468   NtQueryValueKey  (216,  (216, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   468   NtClose  (216, ... ) == 0x0
 02219   468   NtQueryVolumeInformationFile  (208, 1231308, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02220   468   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 216, ) }, ... 216, ) == 0x0
 02221   468   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02222   468   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 220, ) }, ... 220, ) == 0x0
 02223   468   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa20000), {0, 0}, 57344, ) == 0x0
 02224   468   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02225   468   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 02226   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229292, ... ) }, 1229292, ... ) == 0x0
 02227   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 02228   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 02229   468   NtClose  (224, ... ) == 0x0
 02230   468   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa30000), 0x0, 106496, ) == 0x0
 02231   468   NtClose  (228, ... ) == 0x0
 02232   468   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 02233   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229608, ... ) }, 1229608, ... ) == 0x0
 02234   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02235   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 02236   468   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02237   468   NtClose  (228, ... ) == 0x0
 02238   468   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02239   468   NtClose  (224, ... ) == 0x0
 02240   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 02241   468   NtQueryInformationFile  (224, 1229896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02242   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 02243   468   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa30000), 0x0, 1028096, ) == 0x0
 02244   468   NtQueryInformationFile  (224, 1229992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02245   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02247   468   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02248   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02249   468   NtQueryDirectoryFile  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1,  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02250   468   NtClose  (232, ... ) == 0x0
 02251   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02252   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02253   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226944, ... ) }, 1226944, ... ) == 0x0
 02254   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02255   468   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02256   468   NtClose  (232, ... ) == 0x0
 02257   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02258   468   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02259   468   NtClose  (232, ... ) == 0x0
 02260   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02261   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02262   468   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02263   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02264   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 02265   468   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   468   NtClose  (232, ... ) == 0x0
 02267   468   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   468   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02270   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02271   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02272   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02273   468   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02274   468   NtClose  (232, ... ) == 0x0
 02275   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02276   468   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02277   468   NtClose  (232, ... ) == 0x0
 02278   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02279   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02280   468   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02281   468   NtQueryVolumeInformationFile  (208, 1229868, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02282   468   NtQueryInformationFile  (208, 1229848, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02283   468   NtQueryInformationFile  (208, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02284   468   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02285   468   NtUnmapViewOfSection  (-1, 0xa30000, ... ) == 0x0
 02286   468   NtClose  (228, ... ) == 0x0
 02287   468   NtClose  (224, ... ) == 0x0
 02288   468   NtClose  (208, ... ) == 0x0
 02289   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == 0x0
 02292   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02293   468   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02294   468   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... 224, ) == 0x0
 02295   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   468   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02297   468   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   468   NtCreateProcessEx  (1233936, 2035711, 0, -1, 0, 224, 0, 0, 0, ... ) == 0x0
 02299   468   NtSetInformationProcess  (228, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02300   468   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=904,ParentPid=440,}, 0x0, ) == 0x0
 02301   468   NtReadVirtualMemory  (228, 0x7ffdf008, 4, ...  (228, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02302   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   468   NtAllocateVirtualMemory  (-1, 1507328, 0, 8192, 4096, 4, ... 1507328, 8192, ) == 0x0
 02304   468   NtReadVirtualMemory  (228, 0x4ad00000, 4096, ...  (228, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02305   468   NtReadVirtualMemory  (228, 0x4ad3b000, 256, ...  (228, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02306   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02307   468   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=904,ParentPid=440,}, 0x0, ) == 0x0
 02308   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02309   468   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 10682368, 4096, ) == 0x0
 02310   468   NtAllocateVirtualMemory  (228, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02311   468   NtWriteVirtualMemory  (228, 0x10000,  (228, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02312   468   NtAllocateVirtualMemory  (228, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02313   468   NtWriteVirtualMemory  (228, 0x20000,  (228, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02314   468   NtWriteVirtualMemory  (228, 0x7ffdf010,  (228, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02315   468   NtWriteVirtualMemory  (228, 0x7ffdf1e8,  (228, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02316   468   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 02317   468   NtAllocateVirtualMemory  (228, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02318   468   NtAllocateVirtualMemory  (228, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02319   468   NtCreateThread  (0x1f03ff, 0x0, 228, 1232200, 1232920, 1, ... 232, {904, 936}, ) == 0x0
 02320   468   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\210\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 468, 1555, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\210\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 440, 468, 1555, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\210\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 468, 1555, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0\210\3\0\0\250\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02321   468   NtResumeThread  (232, ... 1, ) == 0x0
 02322   468   NtClose  (208, ... ) == 0x0
 02323   468   NtClose  (224, ... ) == 0x0
 02324   468   NtClose  (214, ... ) == 0x0
 02325   468   NtClose  (202, ... ) == 0x0
 02326   468   NtClose  (206, ... ) == 0x0
 02327   468   NtClose  (228, ... ) == 0x0
 02328   468   NtClose  (232, ... ) == 0x0
 02329   468   NtUserDestroyWindow  (131250, ...
 02330   468   NtUserRemoveProp  (131250, 43288, ... ) == 0xffffffff
 02331   468   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 02332   468   NtUserRemoveProp  (131250, 43287, ... ) == 0x0
 02329   468   NtUserDestroyWindow  ... ) == 0x1
 02333   468   NtUserUnregisterClass  (1237380, 1998258176, 1237368, ... ) == 0x1
 02334   468   NtTerminateProcess  (0, 0, ... ) == 0x0
 02335   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02336   468   NtWaitForMultipleObjects  (2, (168, 160, ), 1, 0, 0x0, ... ) == 0x1
 02337   468   NtClose  (160, ... ) == 0x0
 02338   468   NtSetEvent  (168, ... 0x0, ) == 0x0
 02339   468   NtClose  (168, ... ) == 0x0
 02340   468   NtWaitForMultipleObjects  (2, (176, 180, ), 1, 0, 0x0, ... ) == 0x1
 02341   468   NtClose  (180, ... ) == 0x0
 02342   468   NtSetEvent  (176, ... 0x0, ) == 0x0
 02343   468   NtClose  (176, ... ) == 0x0
 02344   468   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02345   468   NtClose  (188, ... ) == 0x0
 02346   468   NtSetEvent  (184, ... 0x0, ) == 0x0
 02347   468   NtClose  (184, ... ) == 0x0
 02348   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02349   468   NtUnmapViewOfSection  (-1, 0x9c0000, ... ) == 0x0
 02350   468   NtClose  (108, ... ) == 0x0
 02351   468   NtGdiDeleteObjectApp  (135267321, ... ) == 0x1
 02352   468   NtUserGetProcessWindowStation  (... ) == 0x28
 02353   468   NtUserBuildNameList  (40, 256, 1392264, 1241844, ... ) == 0x0
 02354   468   NtUserGetProcessWindowStation  (... ) == 0x28
 02355   468   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 02356   468   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10084, 0x10078, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x10080, 0x10026, 0x100d6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x20060, 0x100d2, 0x100c8, 0x100c6, 0x100ac, 0x2005e, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x1007a, 0x1, ), 38, ) == 0x0
 02357   468   NtUserQueryWindow  (65706, 0, ... ) == 0x7f8
 02358   468   NtUserQueryWindow  (65706, 1, ... ) == 0x7fc
 02359   468   NtUserQueryWindow  (65704, 0, ... ) == 0x7f8
 02360   468   NtUserQueryWindow  (65704, 1, ... ) == 0x7fc
 02361   468   NtUserQueryWindow  (65702, 0, ... ) == 0x7f8
 02362   468   NtUserQueryWindow  (65702, 1, ... ) == 0x7fc
 02363   468   NtUserQueryWindow  (393270, 0, ... ) == 0x7f8
 02364   468   NtUserQueryWindow  (393270, 1, ... ) == 0x7fc
 02365   468   NtUserQueryWindow  (131170, 0, ... ) == 0x788
 02366   468   NtUserQueryWindow  (131170, 1, ... ) == 0x79c
 02367   468   NtUserQueryWindow  (65668, 0, ... ) == 0x788
 02368   468   NtUserQueryWindow  (65668, 1, ... ) == 0x79c
 02369   468   NtUserBuildHwndList  (0, 65668, 1, 0, 64, ... (0x10086, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 02370   468   NtUserQueryWindow  (65670, 0, ... ) == 0x788
 02371   468   NtUserQueryWindow  (65670, 1, ... ) == 0x79c
 02372   468   NtUserQueryWindow  (65674, 0, ... ) == 0x788
 02373   468   NtUserQueryWindow  (65674, 1, ... ) == 0x79c
 02374   468   NtUserQueryWindow  (65676, 0, ... ) == 0x788
 02375   468   NtUserQueryWindow  (65676, 1, ... ) == 0x79c
 02376   468   NtUserQueryWindow  (65678, 0, ... ) == 0x788
 02377   468   NtUserQueryWindow  (65678, 1, ... ) == 0x79c
 02378   468   NtUserQueryWindow  (65682, 0, ... ) == 0x788
 02379   468   NtUserQueryWindow  (65682, 1, ... ) == 0x79c
 02380   468   NtUserQueryWindow  (65684, 0, ... ) == 0x788
 02381   468   NtUserQueryWindow  (65684, 1, ... ) == 0x79c
 02382   468   NtUserQueryWindow  (65686, 0, ... ) == 0x788
 02383   468   NtUserQueryWindow  (65686, 1, ... ) == 0x79c
 02384   468   NtUserQueryWindow  (65688, 0, ... ) == 0x788
 02385   468   NtUserQueryWindow  (65688, 1, ... ) == 0x79c
 02386   468   NtUserQueryWindow  (65690, 0, ... ) == 0x788
 02387   468   NtUserQueryWindow  (65690, 1, ... ) == 0x79c
 02388   468   NtUserQueryWindow  (65694, 0, ... ) == 0x788
 02389   468   NtUserQueryWindow  (65694, 1, ... ) == 0x79c
 02390   468   NtUserQueryWindow  (65696, 0, ... ) == 0x788
 02391   468   NtUserQueryWindow  (65696, 1, ... ) == 0x79c
 02392   468   NtUserQueryWindow  (65698, 0, ... ) == 0x788
 02393   468   NtUserQueryWindow  (65698, 1, ... ) == 0x79c
 02394   468   NtUserQueryWindow  (65656, 0, ... ) == 0x788
 02395   468   NtUserQueryWindow  (65656, 1, ... ) == 0x79c
 02396   468   NtUserQueryWindow  (65640, 0, ... ) == 0x788
 02397   468   NtUserQueryWindow  (65640, 1, ... ) == 0x79c
 02398   468   NtUserQueryWindow  (196682, 0, ... ) == 0x788
 02399   468   NtUserQueryWindow  (196682, 1, ... ) == 0x79c
 02400   468   NtUserQueryWindow  (65638, 0, ... ) == 0x788
 02401   468   NtUserQueryWindow  (65638, 1, ... ) == 0x79c
 02402   468   NtUserQueryWindow  (196684, 0, ... ) == 0x788
 02403   468   NtUserQueryWindow  (196684, 1, ... ) == 0x79c
 02404   468   NtUserQueryWindow  (196668, 0, ... ) == 0x788
 02405   468   NtUserQueryWindow  (196668, 1, ... ) == 0x79c
 02406   468   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x10072, 0x10076, 0x1, ), 10, ) == 0x0
 02407   468   NtUserQueryWindow  (196670, 0, ... ) == 0x788
 02408   468   NtUserQueryWindow  (196670, 1, ... ) == 0x79c
 02409   468   NtUserQueryWindow  (196674, 0, ... ) == 0x788
 02410   468   NtUserQueryWindow  (196674, 1, ... ) == 0x79c
 02411   468   NtUserQueryWindow  (196672, 0, ... ) == 0x788
 02412   468   NtUserQueryWindow  (196672, 1, ... ) == 0x79c
 02413   468   NtUserQueryWindow  (196676, 0, ... ) == 0x788
 02414   468   NtUserQueryWindow  (196676, 1, ... ) == 0x79c
 02415   468   NtUserQueryWindow  (196678, 0, ... ) == 0x788
 02416   468   NtUserQueryWindow  (196678, 1, ... ) == 0x79c
 02417   468   NtUserQueryWindow  (196680, 0, ... ) == 0x788
 02418   468   NtUserQueryWindow  (196680, 1, ... ) == 0x79c
 02419   468   NtUserQueryWindow  (65642, 0, ... ) == 0x788
 02420   468   NtUserQueryWindow  (65642, 1, ... ) == 0x79c
 02421   468   NtUserQueryWindow  (65650, 0, ... ) == 0x788
 02422   468   NtUserQueryWindow  (65650, 1, ... ) == 0x79c
 02423   468   NtUserQueryWindow  (65654, 0, ... ) == 0x788
 02424   468   NtUserQueryWindow  (65654, 1, ... ) == 0x79c
 02425   468   NtUserQueryWindow  (65692, 0, ... ) == 0x788
 02426   468   NtUserQueryWindow  (65692, 1, ... ) == 0x79c
 02427   468   NtUserQueryWindow  (65680, 0, ... ) == 0x788
 02428   468   NtUserQueryWindow  (65680, 1, ... ) == 0x79c
 02429   468   NtUserQueryWindow  (65664, 0, ... ) == 0x788
 02430   468   NtUserQueryWindow  (65664, 1, ... ) == 0x78c
 02431   468   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02432   468   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02433   468   NtUserQueryWindow  (65750, 0, ... ) == 0x388
 02434   468   NtUserQueryWindow  (65750, 1, ... ) == 0x3a8
 02435   468   NtUserQueryWindow  (65726, 0, ... ) == 0x70
 02436   468   NtUserQueryWindow  (65726, 1, ... ) == 0x88
 02437   468   NtUserQueryWindow  (65724, 0, ... ) == 0x70
 02438   468   NtUserQueryWindow  (65724, 1, ... ) == 0x88
 02439   468   NtUserQueryWindow  (65722, 0, ... ) == 0x70
 02440   468   NtUserQueryWindow  (65722, 1, ... ) == 0x88
 02441   468   NtUserQueryWindow  (65720, 0, ... ) == 0x70
 02442   468   NtUserQueryWindow  (65720, 1, ... ) == 0x88
 02443   468   NtUserQueryWindow  (65718, 0, ... ) == 0x70
 02444   468   NtUserQueryWindow  (65718, 1, ... ) == 0x88
 02445   468   NtUserQueryWindow  (65716, 0, ... ) == 0x70
 02446   468   NtUserQueryWindow  (65716, 1, ... ) == 0x88
 02447   468   NtUserQueryWindow  (65712, 0, ... ) == 0x70
 02448   468   NtUserQueryWindow  (65712, 1, ... ) == 0x88
 02449   468   NtUserQueryWindow  (65710, 0, ... ) == 0x70
 02450   468   NtUserQueryWindow  (65710, 1, ... ) == 0x88
 02451   468   NtUserQueryWindow  (131168, 0, ... ) == 0x90
 02452   468   NtUserQueryWindow  (131168, 1, ... ) == 0x94
 02453   468   NtUserQueryWindow  (65746, 0, ... ) == 0x788
 02454   468   NtUserQueryWindow  (65746, 1, ... ) == 0x310
 02455   468   NtUserQueryWindow  (65736, 0, ... ) == 0x788
 02456   468   NtUserQueryWindow  (65736, 1, ... ) == 0x310
 02457   468   NtUserBuildHwndList  (0, 65736, 1, 0, 64, ... (0x100ca, 0x100cc, 0x100ce, 0x100d0, 0x1, ), 5, ) == 0x0
 02458   468   NtUserQueryWindow  (65738, 0, ... ) == 0x788
 02459   468   NtUserQueryWindow  (65738, 1, ... ) == 0x310
 02460   468   NtUserQueryWindow  (65740, 0, ... ) == 0x788
 02461   468   NtUserQueryWindow  (65740, 1, ... ) == 0x310
 02462   468   NtUserQueryWindow  (65742, 0, ... ) == 0x788
 02463   468   NtUserQueryWindow  (65742, 1, ... ) == 0x310
 02464   468   NtUserQueryWindow  (65744, 0, ... ) == 0x788
 02465   468   NtUserQueryWindow  (65744, 1, ... ) == 0x310
 02466   468   NtUserQueryWindow  (65734, 0, ... ) == 0x788
 02467   468   NtUserQueryWindow  (65734, 1, ... ) == 0x79c
 02468   468   NtUserQueryWindow  (65708, 0, ... ) == 0x7f8
 02469   468   NtUserQueryWindow  (65708, 1, ... ) == 0x7fc
 02470   468   NtUserQueryWindow  (131166, 0, ... ) == 0x7f0
 02471   468   NtUserQueryWindow  (131166, 1, ... ) == 0x7f4
 02472   468   NtUserQueryWindow  (65644, 0, ... ) == 0x788
 02473   468   NtUserQueryWindow  (65644, 1, ... ) == 0x7d4
 02474   468   NtUserQueryWindow  (327760, 0, ... ) == 0x788
 02475   468   NtUserQueryWindow  (327760, 1, ... ) == 0x78c
 02476   468   NtUserQueryWindow  (262228, 0, ... ) == 0x788
 02477   468   NtUserQueryWindow  (262228, 1, ... ) == 0x78c
 02478   468   NtUserQueryWindow  (327758, 0, ... ) == 0x788
 02479   468   NtUserQueryWindow  (327758, 1, ... ) == 0x78c
 02480   468   NtUserQueryWindow  (65666, 0, ... ) == 0x788
 02481   468   NtUserQueryWindow  (65666, 1, ... ) == 0x78c
 02482   468   NtUserQueryWindow  (65658, 0, ... ) == 0x788
 02483   468   NtUserQueryWindow  (65658, 1, ... ) == 0x78c
 02484   468   NtUserBuildHwndList  (0, 65658, 1, 0, 64, ... (0x1007c, 0x1007e, 0x1, ), 3, ) == 0x0
 02485   468   NtUserQueryWindow  (65660, 0, ... ) == 0x788
 02486   468   NtUserQueryWindow  (65660, 1, ... ) == 0x78c
 02487   468   NtUserQueryWindow  (65662, 0, ... ) == 0x788
 02488   468   NtUserQueryWindow  (65662, 1, ... ) == 0x78c
 02489   468   NtUserCloseDesktop  (108, ...
 02490   468   NtClose  (108, ... ) == 0x0
 02489   468   NtUserCloseDesktop  ... ) == 0x1
 02491   468   NtUserGetProcessWindowStation  (... ) == 0x28
 02492   468   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02493   468   NtUserGetProcessWindowStation  (... ) == 0x28
 02494   468   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02495   468   NtGdiDeleteObjectApp  (302646145, ... ) == 0x1
 02496   468   NtGdiDeleteObjectApp  (218760177, ... ) == 0x1
 02497   468   NtClose  (100, ... ) == 0x0
 02498   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02499   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02500   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02501   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02502   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02503   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02504   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02505   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02506   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02507   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02508   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02509   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02510   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02511   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02512   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02513   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02514   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02515   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02516   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02517   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02518   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02519   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02520   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02521   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02522   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02523   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02524   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02525   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02526   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02527   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02528   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02529   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02530   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02531   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02532   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02533   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02534   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02535   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc017
 02536   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02537   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc019
 02538   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02539   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc018
 02540   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02541   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01a
 02542   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02543   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01c
 02544   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02545   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01e
 02546   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02547   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01b
 02548   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02549   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc068
 02550   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02551   468   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc06a
 02552   468   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02553   468   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 02554   468   NtClose  (72, ... ) == 0x0
 02555   468   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 02556   468   NtClose  (76, ... ) == 0x0
 02557   468   NtClose  (68, ... ) == 0x0
 02558   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02559   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02560   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02561   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02562   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02563   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02564   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02565   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02566   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02567   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02568   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02569   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02570   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02571   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02572   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02573   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02574   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02575   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02576   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02577   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02578   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02579   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02580   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02581   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02582   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02583   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02584   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02585   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02586   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02587   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02588   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02589   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02590   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02591   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02592   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02593   468   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02594   468   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02595   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02596   468   NtClose  (172, ... ) == 0x0
 02597   468   NtClose  (148, ... ) == 0x0
 02598   468   NtClose  (164, ... ) == 0x0
 02599   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02600   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02601   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02602   468   NtClose  (152, ... ) == 0x0
 02603   468   NtClose  (156, ... ) == 0x0
 02604   468   NtClose  (104, ... ) == 0x0
 02605   468   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02606   468   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 468, 1597, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 440, 468, 1597, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 468, 1597, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02607   468   NtTerminateProcess  (-1, 0, ...
 02608   468   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtAdjustPrivilegesToken(>)	2	NtGdiGetStockObject(>)	5	NtUserRegisterWindowMessage(>)	19
NtAddAtom(>)	1	NtContinue(>)	2	NtUserBuildHwndList(>)	5	NtOpenThreadToken(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtWriteFile(>)	5	NtUnmapViewOfSection(>)	21
NtConnectPort(>)	1	NtEnumerateKey(>)	2	NtCreateSemaphore(>)	6	NtCreateKey(>)	22
NtCreateProcessEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtCreateSection(>)	27
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultLocale(>)	6	NtQueryInformationFile(>)	27
NtDeleteValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtQuerySymbolicLinkObject(>)	6	NtOpenSection(>)	29
NtGdiCreateBitmap(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	6	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtQueryVirtualMemory(>)	2	NtQueryDefaultUILanguage(>)	8	NtWaitForSingleObject(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtReleaseMutant(>)	2	NtSetInformationFile(>)	8	NtProtectVirtualMemory(>)	36
NtGdiSelectBitmap(>)	1	NtTerminateProcess(>)	2	NtQueryVolumeInformationFile(>)	9	NtUserUnregisterClass(>)	46
NtNotifyChangeKey(>)	1	NtUserCloseDesktop(>)	2	NtFsControlFile(>)	10	NtMapViewOfSection(>)	48
NtOpenKeyedEvent(>)	1	NtUserCreateWindowEx(>)	2	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtUserDestroyWindow(>)	2	NtQuerySection(>)	11	NtQueryInformationProcess(>)	51
NtQueryInformationJobObject(>)	1	NtUserMessageCall(>)	2	NtRequestWaitReplyPort(>)	11	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtDuplicateObject(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtEnumerateValueKey(>)	3	NtLockFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUnlockFile(>)	13	NtQueryAttributesFile(>)	68
NtResumeThread(>)	1	NtGdiDeleteObjectApp(>)	3	NtCreateEvent(>)	14	NtQueryInformationToken(>)	72
NtSecureConnectPort(>)	1	NtOpenEvent(>)	3	NtOpenProcessToken(>)	14	NtQueryKey(>)	73
NtTestAlert(>)	1	NtReadVirtualMemory(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserBuildNameList(>)	1	NtSetEvent(>)	3	NtQueryDebugFilterState(>)	16	NtAllocateVirtualMemory(>)	88
NtUserGetAtomName(>)	1	NtUserGetObjectInformation(>)	3	NtFlushInstructionCache(>)	17	NtQuerySystemInformation(>)	88
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtFreeVirtualMemory(>)	17	NtOpenFile(>)	90
NtUserGetForegroundWindow(>)	1	NtUserRemoveProp(>)	3	NtQueryDirectoryFile(>)	17	NtQueryValueKey(>)	125
NtUserGetGUIThreadInfo(>)	1	NtWaitForMultipleObjects(>)	3	NtReadFile(>)	17	NtUserQueryWindow(>)	128
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtSetInformationThread(>)	17	NtOpenKey(>)	288
NtUserSetProp(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	18	NtClose(>)	385