Summary:


NtAccessCheck(>)  1 
NtAdjustPrivilegesToken(>)  2 
NtGdiGetStockObject(>)  5 
NtUserRegisterWindowMessage(>)  19 

NtAddAtom(>)  1 
NtContinue(>)  2 
NtUserBuildHwndList(>)  5 
NtOpenThreadToken(>)  20 

NtCallbackReturn(>)  1 
NtCreateIoCompletion(>)  2 
NtWriteFile(>)  5 
NtUnmapViewOfSection(>)  21 

NtConnectPort(>)  1 
NtEnumerateKey(>)  2 
NtCreateSemaphore(>)  6 
NtCreateKey(>)  22 

NtCreateProcessEx(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtCreateSection(>)  27 

NtCreateThread(>)  1 
NtGdiHfontCreate(>)  2 
NtQueryDefaultLocale(>)  6 
NtQueryInformationFile(>)  27 

NtDeleteValueKey(>)  1 
NtOpenDirectoryObject(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtOpenSection(>)  29 

NtGdiCreateBitmap(>)  1 
NtOpenMutant(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtQueryVirtualMemory(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtWaitForSingleObject(>)  33 

NtGdiQueryFontAssocInfo(>)  1 
NtReleaseMutant(>)  2 
NtSetInformationFile(>)  8 
NtProtectVirtualMemory(>)  36 

NtGdiSelectBitmap(>)  1 
NtTerminateProcess(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtUserUnregisterClass(>)  46 

NtNotifyChangeKey(>)  1 
NtUserCloseDesktop(>)  2 
NtFsControlFile(>)  10 
NtMapViewOfSection(>)  48 

NtOpenKeyedEvent(>)  1 
NtUserCreateWindowEx(>)  2 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtOpenProcess(>)  1 
NtUserDestroyWindow(>)  2 
NtQuerySection(>)  11 
NtQueryInformationProcess(>)  51 

NtQueryInformationJobObject(>)  1 
NtUserMessageCall(>)  2 
NtRequestWaitReplyPort(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryObject(>)  1 
NtCreateMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQueryPerformanceCounter(>)  1 
NtDuplicateObject(>)  3 
NtUserSystemParametersInfo(>)  11 
NtOpenThreadTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtEnumerateValueKey(>)  3 
NtLockFile(>)  13 
NtUserRegisterClassExWOW(>)  64 

NtRegisterThreadTerminatePort(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtUnlockFile(>)  13 
NtQueryAttributesFile(>)  68 

NtResumeThread(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtCreateEvent(>)  14 
NtQueryInformationToken(>)  72 

NtSecureConnectPort(>)  1 
NtOpenEvent(>)  3 
NtOpenProcessToken(>)  14 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtReadVirtualMemory(>)  3 
NtSetValueKey(>)  15 
NtUserGetClassInfo(>)  82 

NtUserBuildNameList(>)  1 
NtSetEvent(>)  3 
NtQueryDebugFilterState(>)  16 
NtAllocateVirtualMemory(>)  88 

NtUserGetAtomName(>)  1 
NtUserGetObjectInformation(>)  3 
NtFlushInstructionCache(>)  17 
NtQuerySystemInformation(>)  88 

NtUserGetDC(>)  1 
NtUserOpenDesktop(>)  3 
NtFreeVirtualMemory(>)  17 
NtOpenFile(>)  90 

NtUserGetForegroundWindow(>)  1 
NtUserRemoveProp(>)  3 
NtQueryDirectoryFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetGUIThreadInfo(>)  1 
NtWaitForMultipleObjects(>)  3 
NtReadFile(>)  17 
NtUserQueryWindow(>)  128 

NtUserGetThreadDesktop(>)  1 
NtSetInformationObject(>)  4 
NtSetInformationThread(>)  17 
NtOpenKey(>)  288 

NtUserSetProp(>)  1 
NtWriteVirtualMemory(>)  4 
NtCreateFile(>)  18 
NtClose(>)  385 


Trace:
 00001   472   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   472   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   472   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   472   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   472   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   472   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   472   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   472   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   472   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   472   NtClose  (12, ... ) == 0x0
 00014   472   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   472   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   472   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   472   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   472   NtClose  (16, ... ) == 0x0
 00021   472   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   472   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   472   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   472   NtClose  (16, ... ) == 0x0
 00026   472   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   472   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   472   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   472   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 440, 472, 1510, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 440, 472, 1510, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 440, 472, 1510, 0} "8@\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00032   472   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   472   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   472   NtClose  (16, ... ) == 0x0
 00036   472   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   472   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   472   NtClose  (28, ... ) == 0x0
 00041   472   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   472   NtClose  (28, ... ) == 0x0
 00045   472   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   472   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   472   NtClose  (28, ... ) == 0x0
 00049   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   472   NtClose  (28, ... ) == 0x0
 00052   472   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 440, 472, 1532, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 440, 472, 1532, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 440, 472, 1532, 0} "(\261\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00056   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00057   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00058   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00059   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   472   NtClose  (28, ... ) == 0x0
 00062   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   472   NtClose  (28, ... ) == 0x0
 00065   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   472   NtClose  (28, ... ) == 0x0
 00068   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   472   NtClose  (28, ... ) == 0x0
 00071   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00072   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00073   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00074   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00075   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00076   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00077   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00079   472   NtClose  (28, ... ) == 0x0
 00080   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00081   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00082   472   NtClose  (28, ... ) == 0x0
 00083   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00084   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00085   472   NtClose  (28, ... ) == 0x0
 00086   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00087   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00088   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00089   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00090   472   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00091   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00092   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00093   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00094   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00095   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00096   472   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00097   472   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00098   472   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00099   472   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00100   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00101   472   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00102   472   NtClose  (40, ... ) == 0x0
 00103   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00105   472   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00106   472   NtClose  (40, ... ) == 0x0
 00107   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   472   NtClose  (36, ... ) == 0x0
 00109   472   NtClose  (28, ... ) == 0x0
 00110   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00111   472   NtClose  (32, ... ) == 0x0
 00112   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00113   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00114   472   NtClose  (32, ... ) == 0x0
 00115   472   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00116   472   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00117   472   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00118   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00119   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00120   472   NtClose  (32, ... ) == 0x0
 00121   472   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00122   472   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00123   472   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00124   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00125   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00126   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00127   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00128   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00129   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00130   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00131   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00132   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00133   472   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00134   472   NtClose  (32, ... ) == 0x0
 00135   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00136   472   NtClose  (28, ... ) == 0x0
 00137   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00138   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00139   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00141   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00142   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00143   472   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00144   472   NtClose  (28, ... ) == 0x0
 00145   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00146   472   NtClose  (32, ... ) == 0x0
 00147   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00148   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00149   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00150   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00151   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00152   472   NtClose  (32, ... ) == 0x0
 00153   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00154   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00155   472   NtClose  (32, ... ) == 0x0
 00156   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00157   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00158   472   NtClose  (32, ... ) == 0x0
 00159   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00160   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00161   472   NtClose  (32, ... ) == 0x0
 00162   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 32, ) }, ... 32, ) == 0x0
 00163   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00164   472   NtClose  (32, ... ) == 0x0
 00165   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00166   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00167   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00168   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 32, ) }, ... 32, ) == 0x0
 00169   472   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00170   472   NtClose  (32, ... ) == 0x0
 00171   472   NtProtectVirtualMemory  (-1, (0x41d000), 648, 4, ... (0x41d000), 4096, 2, ) == 0x0
 00172   472   NtProtectVirtualMemory  (-1, (0x41d000), 4096, 2, ... (0x41d000), 4096, 4, ) == 0x0
 00173   472   NtFlushInstructionCache  (-1, 4313088, 648, ... ) == 0x0
 00174   472   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00175   472   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00176   472   NtClose  (32, ... ) == 0x0
 00177   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00178   472   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00179   472   NtClose  (32, ... ) == 0x0
 00180   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00181   472   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00182   472   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00183   472   NtClose  (32, ... ) == 0x0
 00184   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00185   472   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00186   472   NtClose  (32, ... ) == 0x0
 00187   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00188   472   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00189   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00190   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00191   472   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 440, 472, 1552, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 440, 472, 1552, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\31\1\0\0\0\0\314\4\23\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 440, 472, 1552, 0} "XQ\26\0\0\0\0\0\0\0\0\0`\10\260\15\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00192   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193   472   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x440000), 0x0, 1060864, ) == 0x0
 00194   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00195   472   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00196   472   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482208, ) == 0x0
 00197   472   NtQueryInformationToken  (-2147482208, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00198   472   NtQueryInformationToken  (-2147482208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00199   472   NtClose  (-2147482208, ... ) == 0x0
 00200   472   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00201   472   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00202   472   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00203   472   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00204   472   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00205   472   NtClose  (-2147482208, ... ) == 0x0
 00206   472   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00207   472   NtQueryValueKey  (-2147482208,  (-2147482208, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00208   472   NtClose  (-2147482208, ... ) == 0x0
 00209   472   NtQueryDefaultLocale  (0, -135165428, ... ) == 0x0
 00210   472   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00211   472   NtUserCallNoParam  (24, ... ) == 0x0
 00212   472   NtGdiCreateCompatibleDC  (0, ...
 00213   472   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00212   472   NtGdiCreateCompatibleDC  ... ) == 0x40010402
 00214   472   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00215   472   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00216   472   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xe0503f2
 00217   472   NtGdiCreateSolidBrush  (0, 0, ...
 00218   472   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8716288, 4096, ) == 0x0
 00217   472   NtGdiCreateSolidBrush  ... ) == 0xd100403
 00219   472   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00220   472   NtGdiCreateCompatibleDC  (0, ... ) == 0xc0103f3
 00221   472   NtGdiSelectBitmap  (201393139, 235209714, ... ) == 0x185000f
 00222   472   NtUserGetThreadDesktop  (472, 0, ... ) == 0x2c
 00223   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00224   472   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00225   472   NtClose  (52, ... ) == 0x0
 00226   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00227   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810dc017
 00228   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00229   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810dc01c
 00230   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00231   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810dc01e
 00232   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00233   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810d8002
 00234   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00235   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810dc018
 00236   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00237   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810dc01a
 00238   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00239   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810dc01d
 00240   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00241   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810dc026
 00242   472   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00243   472   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810dc019
 00244   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00245   472   NtAllocateVirtualMemory  (-1, 5668864, 0, 4096, 4096, 32, ... 5668864, 4096, ) == 0x0
 00244   472   NtUserRegisterClassExWOW  ... ) == 0x810dc020
 00246   472   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc022
 00247   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc023
 00248   472   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810dc024
 00249   472   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810dc025
 00250   472   NtCallbackReturn  (0, 0, 0, ...
 00251   472   NtGdiInit  (... ) == 0x1
 00252   472   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00253   472   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00254   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00255   472   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00256   472   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00257   472   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00258   472   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00259   472   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00260   472   NtClose  (52, ... ) == 0x0
 00261   472   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00262   472   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00263   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 52, ) }, ... 52, ) == 0x0
 00264   472   NtQueryValueKey  (52,  (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (52, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00265   472   NtClose  (52, ... ) == 0x0
 00266   472   NtQueryDefaultUILanguage  (1241756, ...
 00267   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00268   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00269   472   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00270   472   NtClose  (-2147482208, ... ) == 0x0
 00271   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00272   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00273   472   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00274   472   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00275   472   NtClose  (-2147482196, ... ) == 0x0
 00276   472   NtClose  (-2147482208, ... ) == 0x0
 00266   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00277   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00278   472   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00279   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00280   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 56, ) == 0x0
 00281   472   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 8323072, ) == 0x0
 00282   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00283   472   NtQueryDefaultUILanguage  (2013024600, ...
 00284   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00285   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00286   472   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00287   472   NtClose  (-2147482208, ... ) == 0x0
 00288   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00289   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00290   472   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00291   472   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00292   472   NtClose  (-2147482196, ... ) == 0x0
 00293   472   NtClose  (-2147482208, ... ) == 0x0
 00283   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00294   472   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00295   472   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00296   472   NtQueryDefaultLocale  (1, 1239792, ... ) == 0x0
 00297   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00298   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1553, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 472, 1553, 0}  (24, {128, 156, new_msg, 0, 1240648, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1553, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\14\0\0\0\377\377\377\377\0\0\0\0\20\311\277\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0H\365\22\0\0\0\0\0" )  ) == 0x0
 00299   472   NtClose  (52, ... ) == 0x0
 00300   472   NtClose  (56, ... ) == 0x0
 00301   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00302   472   NtUnmapViewOfSection  (-1, 0x12f548, ... ) == STATUS_NOT_MAPPED_VIEW
 00303   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00304   472   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00305   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00306   472   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00307   472   NtClose  (56, ... ) == 0x0
 00308   472   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00310   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00311   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238876, ... ) }, 1238876, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00313   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00314   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00315   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1239468, ... ) }, 1239468, ... ) == 0x0
 00316   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 56, {status=0x0, info=1}, ) }, 3, 33, ... 56, {status=0x0, info=1}, ) == 0x0
 00317   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00318   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00319   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00320   472   NtClose  (52, ... ) == 0x0
 00321   472   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 921600, ) == 0x0
 00322   472   NtClose  (60, ... ) == 0x0
 00323   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00324   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 60, {status=0x0, info=1}, ) }, 5, 96, ... 60, {status=0x0, info=1}, ) == 0x0
 00325   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 60, ... 52, ) == 0x0
 00326   472   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00327   472   NtClose  (60, ... ) == 0x0
 00328   472   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00329   472   NtClose  (52, ... ) == 0x0
 00330   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00331   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00332   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00333   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00334   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00335   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00336   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00337   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00338   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00339   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00340   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00341   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00342   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00343   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00344   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00345   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00346   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00347   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00348   472   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00349   472   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00350   472   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00351   472   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1240652, ... ) , 42, 1240652, ... ) == 0x0
 00352   472   NtQueryDefaultUILanguage  (1239368, ...
 00353   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00354   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00355   472   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00356   472   NtClose  (-2147482208, ... ) == 0x0
 00357   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00358   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00359   472   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00360   472   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00361   472   NtClose  (-2147482196, ... ) == 0x0
 00362   472   NtClose  (-2147482208, ... ) == 0x0
 00352   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00363   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00364   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1238220, ... ) }, 1238220, ... ) == 0x0
 00365   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00366   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 60, ) == 0x0
 00367   472   NtClose  (52, ... ) == 0x0
 00368   472   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x880000), 0x0, 4096, ) == 0x0
 00369   472   NtClose  (60, ... ) == 0x0
 00370   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00371   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237860, ... ) }, 1237860, ... ) == 0x0
 00372   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1238560,  (0x80100080, {24, 0, 0x40, 0, 1238560, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 60, {status=0x0, info=1}, ) == 0x0
 00373   472   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 60, ... 52, ) == 0x0
 00374   472   NtClose  (60, ... ) == 0x0
 00375   472   NtMapViewOfSection  (52, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x880000), {0, 0}, 4096, ) == 0x0
 00376   472   NtClose  (52, ... ) == 0x0
 00377   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00378   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 52, {status=0x0, info=1}, ) }, 1, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00379   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 52, ... 60, ) == 0x0
 00380   472   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x880000), 0x0, 4096, ) == 0x0
 00381   472   NtQueryInformationFile  (52, 1238180, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00382   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00383   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1554, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 472, 1554, 0}  (24, {128, 156, new_msg, 0, 1238260, 1, 96, 0} "\210\6\31\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1554, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\31\14\0\0\0<\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\31\1\0\0\0\0\0\0\0\0\364\353\22\0\0\0\0\0" )  ) == 0x0
 00384   472   NtClose  (52, ... ) == 0x0
 00385   472   NtClose  (60, ... ) == 0x0
 00386   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 00387   472   NtUnmapViewOfSection  (-1, 0x12ebf4, ... ) == STATUS_NOT_MAPPED_VIEW
 00388   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00389   472   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00390   472   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00391   472   NtUserGetDC  (0, ... ) == 0x1010051
 00392   472   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00393   472   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00394   472   NtUserSystemParametersInfo  (66, 12, 1240672, 0, ... ) == 0x1
 00395   472   NtOpenProcessToken  (-1, 0x8, ... 60, ) == 0x0
 00396   472   NtAccessCheck  (1329240, 60, 0x1, 1240076, 1240020, 56, 1240104, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00397   472   NtClose  (60, ... ) == 0x0
 00398   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00399   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00400   472   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00401   472   NtClose  (60, ... ) == 0x0
 00402   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00403   472   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00404   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00405   472   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00406   472   NtClose  (52, ... ) == 0x0
 00407   472   NtUserSystemParametersInfo  (41, 500, 1240172, 0, ... ) == 0x1
 00408   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 52, ) }, ... 52, ) == 0x0
 00409   472   NtQueryValueKey  (52,  (52, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00410   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 64, ) }, ... 64, ) == 0x0
 00411   472   NtQueryValueKey  (64,  (64, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00412   472   NtClose  (64, ... ) == 0x0
 00413   472   NtClose  (52, ... ) == 0x0
 00414   472   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00415   472   NtUserSystemParametersInfo  (4130, 0, 1240696, 0, ... ) == 0x1
 00416   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 52, ) }, ... 52, ) == 0x0
 00417   472   NtEnumerateValueKey  (52, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00418   472   NtClose  (52, ... ) == 0x0
 00419   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00420   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03b
 00421   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc03d
 00422   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00423   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc03f
 00424   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00425   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc041
 00426   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00427   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc043
 00428   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc045
 00429   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00430   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc047
 00431   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00432   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc049
 00433   472   NtUserGetClassInfo  (1905590272, 1240592, 1240544, 1240620, 0, ... ) == 0xc049
 00434   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00435   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04b
 00436   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00437   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04d
 00438   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00439   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc04f
 00440   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc051
 00441   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00442   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc053
 00443   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00444   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc055
 00445   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc057
 00446   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00447   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc059
 00448   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10013
 00449   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05b
 00450   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00451   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05d
 00452   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00453   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc05f
 00454   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00455   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc017
 00456   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00457   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc019
 00458   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10013
 00459   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc018
 00460   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00461   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc01a
 00462   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00463   472   NtUserRegisterClassExWOW  (1240428, 1240508, 1240492, 1240524, 0, 384, 0, ... ) == 0x810dc01c
 00464   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00465   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ...
 00466   472   NtAllocateVirtualMemory  (-1, 5672960, 0, 4096, 4096, 32, ... 5672960, 4096, ) == 0x0
 00465   472   NtUserRegisterClassExWOW  ... ) == 0x810dc01e
 00467   472   NtUserFindExistingCursorIcon  (1239976, 1239992, 1240560, ... ) == 0x10011
 00468   472   NtUserRegisterClassExWOW  (1240488, 1240568, 1240552, 1240584, 0, 384, 0, ... ) == 0x810dc01b
 00469   472   NtUserFindExistingCursorIcon  (1239972, 1239988, 1240556, ... ) == 0x10011
 00470   472   NtUserRegisterClassExWOW  (1240484, 1240564, 1240548, 1240580, 0, 384, 0, ... ) == 0x810dc068
 00471   472   NtUserFindExistingCursorIcon  (1239980, 1239996, 1240564, ... ) == 0x10011
 00472   472   NtUserRegisterClassExWOW  (1240432, 1240512, 1240496, 1240528, 0, 384, 0, ... ) == 0x810dc06a
 00473   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00474   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00475   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03b
 00476   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00477   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03d
 00478   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00479   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00480   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc03f
 00481   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00482   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00483   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc041
 00484   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00485   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00486   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc043
 00487   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00488   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc045
 00489   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00490   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00491   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc047
 00492   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00493   472   NtUserFindExistingCursorIcon  (1242872, 1242888, 1243456, ... ) == 0x10011
 00494   472   NtUserRegisterClassExWOW  (1243324, 1243404, 1243388, 1243420, 0, 384, 0, ... ) == 0x810dc049
 00495   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00496   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00497   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04b
 00498   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00499   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00500   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04d
 00501   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00502   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00503   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc04f
 00504   472   NtUserGetClassInfo  (0, 1243496, 1243448, 1243524, 0, ... ) == 0x0
 00505   472   NtUserRegisterClassExWOW  (1243332, 1243412, 1243396, 1243428, 0, 384, 0, ... ) == 0x810dc051
 00506   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00507   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00508   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc053
 00509   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00510   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00511   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc055
 00512   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc057
 00513   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00514   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00515   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc059
 00516   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00517   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10013
 00518   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05b
 00519   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00520   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00521   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05d
 00522   472   NtUserGetClassInfo  (0, 1243492, 1243444, 1243520, 0, ... ) == 0x0
 00523   472   NtUserFindExistingCursorIcon  (1242876, 1242892, 1243460, ... ) == 0x10011
 00524   472   NtUserRegisterClassExWOW  (1243328, 1243408, 1243392, 1243424, 0, 384, 0, ... ) == 0x810dc05f
 00525   472   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {440, 0}, ... 52, ) == 0x0
 00526   472   NtQueryInformationProcess  (52, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00527   472   NtClose  (52, ... ) == 0x0
 00528   472   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00529   472   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00530   472   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00531   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 52, ) }, ... 52, ) == 0x0
 00532   472   NtQueryValueKey  (52,  (52, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00533   472   NtClose  (52, ... ) == 0x0
 00534   472   NtUserSystemParametersInfo  (41, 500, 1243132, 0, ... ) == 0x1
 00535   472   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00536   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03b
 00537   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03d
 00538   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc03f
 00539   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc041
 00540   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc043
 00541   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc045
 00542   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc047
 00543   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc049
 00544   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04b
 00545   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04d
 00546   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc04f
 00547   472   NtUserGetClassInfo  (1999896576, 1243544, 1243496, 1243572, 0, ... ) == 0xc051
 00548   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc053
 00549   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc055
 00550   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc059
 00551   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05b
 00552   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05d
 00553   472   NtUserGetClassInfo  (1999896576, 1243540, 1243492, 1243568, 0, ... ) == 0xc05f
 00554   472   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00555   472   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00556   472   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00557   472   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00558   472   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00559   472   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00560   472   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00561   472   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00562   472   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00563   472   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00564   472   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00565   472   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00566   472   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00567   472   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00568   472   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00569   472   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00570   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00571   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00572   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00573   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00574   472   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9043968, 262144, ) == 0x0
 00575   472   NtAllocateVirtualMemory  (-1, 9043968, 0, 4096, 4096, 4, ... 9043968, 4096, ) == 0x0
 00576   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00577   472   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9306112, 262144, ) == 0x0
 00578   472   NtAllocateVirtualMemory  (-1, 9306112, 0, 4096, 4096, 4, ... 9306112, 4096, ) == 0x0
 00579   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00580   472   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9568256, 262144, ) == 0x0
 00581   472   NtAllocateVirtualMemory  (-1, 9568256, 0, 4096, 4096, 4, ... 9568256, 4096, ) == 0x0
 00582   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00583   472   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9830400, 262144, ) == 0x0
 00584   472   NtAllocateVirtualMemory  (-1, 9830400, 0, 4096, 4096, 4, ... 9830400, 4096, ) == 0x0
 00585   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00586   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00587   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00588   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00589   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239372, ... ) }, 1239372, ... ) == 0x0
 00590   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 52, {status=0x0, info=1}, ) }, 5, 96, ... 52, {status=0x0, info=1}, ) == 0x0
 00591   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 52, ... 64, ) == 0x0
 00592   472   NtClose  (52, ... ) == 0x0
 00593   472   NtMapViewOfSection  (64, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9a0000), 0x0, 90112, ) == 0x0
 00594   472   NtClose  (64, ... ) == 0x0
 00595   472   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00596   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1239688, ... ) }, 1239688, ... ) == 0x0
 00597   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 64, {status=0x0, info=1}, ) }, 5, 96, ... 64, {status=0x0, info=1}, ) == 0x0
 00598   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 64, ... 52, ) == 0x0
 00599   472   NtQuerySection  (52, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00600   472   NtClose  (64, ... ) == 0x0
 00601   472   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00602   472   NtClose  (52, ... ) == 0x0
 00603   472   NtQueryDefaultLocale  (1, 1241376, ... ) == 0x0
 00604   472   NtAllocateVirtualMemory  (-1, 9048064, 0, 4096, 4096, 4, ... 9048064, 4096, ) == 0x0
 00605   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE"}, ... 52, ) }, ... 52, ) == 0x0
 00606   472   NtClose  (52, ... ) == 0x0
 00607   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00608   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00609   472   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00610   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00611   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00612   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00613   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00614   472   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00615   472   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00616   472   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00617   472   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00618   472   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00619   472   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1243532, 0,  (0x1f0003, {24, 52, 0x80, 1243532, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00620   472   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 64, ) }, ... 64, ) == 0x0
 00621   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00622   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00623   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 68, ) }, ... 68, ) == 0x0
 00624   472   NtQueryValueKey  (68,  (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00625   472   NtClose  (68, ... ) == 0x0
 00626   472   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00627   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00628   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00629   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00630   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00631   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 68, ) }, ... 68, ) == 0x0
 00632   472   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00633   472   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00634   472   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00635   472   NtClose  (68, ... ) == 0x0
 00636   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 68, ) }, ... 68, ) == 0x0
 00637   472   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00638   472   NtQueryValueKey  (68,  (68, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00639   472   NtClose  (68, ... ) == 0x0
 00640   472   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00641   472   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00642   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00643   472   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00644   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00645   472   NtAllocateVirtualMemory  (-1, 1351680, 0, 8192, 4096, 4, ... 1351680, 8192, ) == 0x0
 00646   472   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 68, 2, ) }, 0, 0x0, 0, ... 68, 2, ) == 0x0
 00647   472   NtQueryDefaultUILanguage  (1241768, ...
 00648   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00649   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482208, ) == 0x0
 00650   472   NtQueryInformationToken  (-2147482208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00651   472   NtClose  (-2147482208, ... ) == 0x0
 00652   472   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482208, ) }, ... -2147482208, ) == 0x0
 00653   472   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00654   472   NtOpenKey  (0x80000000, {24, -2147482208, 0x640, 0, 0,  (0x80000000, {24, -2147482208, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482196, ) }, ... -2147482196, ) == 0x0
 00655   472   NtQueryValueKey  (-2147482196,  (-2147482196, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00656   472   NtClose  (-2147482196, ... ) == 0x0
 00657   472   NtClose  (-2147482208, ... ) == 0x0
 00647   472   NtQueryDefaultUILanguage  ... ) == 0x0
 00658   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 72, {status=0x0, info=1}, ) }, 1, 96, ... 72, {status=0x0, info=1}, ) == 0x0
 00660   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 72, ... 76, ) == 0x0
 00661   472   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x9a0000), 0x0, 593920, ) == 0x0
 00662   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00663   472   NtQueryDefaultLocale  (1, 1239804, ... ) == 0x0
 00664   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00665   472   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\241\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1555, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\241\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 440, 472, 1555, 0}  (24, {128, 156, new_msg, 0, 1240660, 1, 96, 0} "\210\6\31\1\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\241\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" ... {128, 156, reply, 0, 440, 472, 1555, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\361\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\31\1H\0\0\0\377\377\377\377\0\0\0\0P\275\241\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\31\1\0\0\0\0\0\0\0\0T\365\22\0\0\0\0\0" )  ) == 0x0
 00666   472   NtClose  (72, ... ) == 0x0
 00667   472   NtClose  (76, ... ) == 0x0
 00668   472   NtUnmapViewOfSection  (-1, 0x9a0000, ... ) == 0x0
 00669   472   NtUnmapViewOfSection  (-1, 0x12f554, ... ) == STATUS_NOT_MAPPED_VIEW
 00670   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00671   472   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00673   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00674   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238344, ... ) }, 1238344, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00675   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00676   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00677   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00678   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238936, ... ) }, 1238936, ... ) == 0x0
 00679   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 76, {status=0x0, info=1}, ) }, 3, 33, ... 76, {status=0x0, info=1}, ) == 0x0
 00680   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00681   472   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 72, 2, ) }, 0, 0x0, 0, ... 72, 2, ) == 0x0
 00682   472   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 80, ) == 0x0
 00683   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 84, ) == 0x0
 00684   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 88, ) }, ... 88, ) == 0x0
 00685   472   NtNotifyChangeKey  (88, 84, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00686   472   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00687   472   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00688   472   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 96, ) == 0x0
 00689   472   NtTestAlert  (... ) == 0x0
 00690   472   NtContinue  (1244464, 1, ...
 00691   472   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x404118,}, 4, ... ) == 0x0
 00692   472   NtQueryPerformanceCounter  (... {100445731, 0}, {3579545, 0}, ) == 0x0
 00693   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00694   472   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10092544, 65536, ) == 0x0
 00695   472   NtAllocateVirtualMemory  (-1, 10092544, 0, 4096, 4096, 4, ... 10092544, 4096, ) == 0x0
 00696   472   NtAllocateVirtualMemory  (-1, 10096640, 0, 8192, 4096, 4, ... 10096640, 8192, ) == 0x0
 00697   472   NtAllocateVirtualMemory  (-1, 10104832, 0, 4096, 4096, 4, ... 10104832, 4096, ) == 0x0
 00698   472   NtAllocateVirtualMemory  (-1, 10108928, 0, 4096, 4096, 4, ... 10108928, 4096, ) == 0x0
 00699   472   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10158080, 4096, ) == 0x0
 00700   472   NtProtectVirtualMemory  (-1, (0x9b0000), 6, 64, ...
 00701   472   NtContinue  (-135168212, 0, ...
 00700   472   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00702   472   NtFreeVirtualMemory  (-1, (0x9b0000), 0, 32768, ... (0x9b0000), 4096, ) == 0x0
 00703   472   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 100, 2, ) }, 0, 0x0, 0, ... 100, 2, ) == 0x0
 00704   472   NtDeleteValueKey  (100, "", ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00705   472   NtClose  (100, ... ) == 0x0
 00706   472   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241352,  (0x40100080, {24, 0, 0x42, 0, 1241352, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00707   472   NtClose  (-2147482208, ... ) == 0x0
 00706   472   NtCreateFile  ... 100, {status=0x0, info=2}, ) == 0x0
 00708   472   NtQueryVolumeInformationFile  (100, 1241456, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00709   472   NtAllocateVirtualMemory  (-1, 10113024, 0, 8192, 4096, 4, ... 10113024, 8192, ) == 0x0
 00710   472   NtWriteFile  (100, 0, 0, 0,  (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (100, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00711   472   NtClose  (100, ... ) == 0x0
 00712   472   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00713   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235052, ... ) }, 1235052, ... ) == 0x0
 00714   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00715   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 104, ) == 0x0
 00716   472   NtClose  (100, ... ) == 0x0
 00717   472   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 262144, ) == 0x0
 00718   472   NtClose  (104, ... ) == 0x0
 00719   472   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00720   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00721   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00722   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00723   472   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00724   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 104, {status=0x0, info=0}, ) }, 7, 16, ... 104, {status=0x0, info=0}, ) == 0x0
 00725   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\3038\343X]k\35\324\350\234\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00726   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00727   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00728   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00729   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00730   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00731   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00732   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00733   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00734   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\217n\315\1k\376\370\30\3461%\23r;N!T\15\334\34ly\373\15%t\311\357\340f8\310\364\277u>\31\210\17\213\10x(\276\177>\305Y\320\237\245\246\270\201$6\250\332'No\356)\0\360\36\355\231\215G\15\222\213&\370\370y\261A", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\217n\315\1k\376\370\30\3461%\23r;N!T\15\334\34ly\373\15%t\311\357\340f8\310\364\277u>\31\210\17\213\10x(\276\177>\305Y\320\237\245\246\270\201$6\250\332'No\356)\0\360\36\355\231\215G\15\222\213&\370\370y\261A", 80, ... ) , 80, ... ) == 0x0
 00735   472   NtClose  (-2147482208, ... ) == 0x0
 00725   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "r\2442N\17s\36\253Hd\253&q\254\362D@\334*\22\360\1EV\362\20187\223\202\235\210"\245\203\335\257mfp\226\327- \300\25\351\3\353u\271\230\214\15<\14\37\3\23KPG_J\205\324\256{\240\346\262\0b\14\354;\205\264Z\234\210\246\301\3\0\314_A\266#\314\204\217\204\276-\373Ay\3114\362\334\214\263\247\2\302\276\313>\341\234g\33=\242\321?/\271c\177\333\21P)\223\253\315\330\32\202%\323J\212\2714\242\231?OY:\21,\336N\40\217Ct\0\213\367\320T\3\266=\223\306\6\27\10rH\310\11\223\325\322\32y{3\241\21w\24\305", ) \245\203\335\257mfp\226\327- \300\25\351\3\353u\271\230\214\15<\14\37\3\23KPG_J\205\324\256300\346\265\360\370\305\306nP\5\20\250\332\21z\340vi\264\246$1\267zp\326iv\242u\201\346\364\2%x\1Wy\336\374\312\351\276\7\361\253g\323\323\325X\253v\206\2166*\245\257\17\3>{\240\346\262\0b\14\354;\205\264Z\234\210\246\301\3\0\314_A\266#\314\204\217\204\276-\373Ay\3114\362\334\214\263\247\2\302\276\313>\341\234g\33=\242\321?/\271c\177\333\21P)\223\253\315\330\32\202%\323J\212\2714\242\231?OY:\21,\336N\40\217Ct\0\213\367\320T\3\266=\223\306\6\27\10rH\310\11\223\325\322\32y{3\241\21w\24\305", ) == 0x0
 00736   472   NtAllocateVirtualMemory  (-1, 1363968, 0, 16384, 4096, 4, ... 1363968, 16384, ) == 0x0
 00737   472   NtUserRegisterClassExWOW  (1237136, 1237216, 1237200, 1237232, 0, 384, 0, ... ) == 0x810dc038
 00738   472   NtUserGetAtomName  (49208, 1235900, ... ) == 0x15
 00739   472   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00740   472   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00741   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233424, ... ) }, 1233424, ... ) == 0x0
 00742   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 100, {status=0x0, info=1}, ) }, 5, 96, ... 100, {status=0x0, info=1}, ) == 0x0
 00743   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 100, ... 108, ) == 0x0
 00744   472   NtClose  (100, ... ) == 0x0
 00745   472   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x9b0000), 0x0, 204800, ) == 0x0
 00746   472   NtClose  (108, ... ) == 0x0
 00747   472   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 00748   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233740, ... ) }, 1233740, ... ) == 0x0
 00749   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00750   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 100, ) == 0x0
 00751   472   NtQuerySection  (100, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00752   472   NtClose  (108, ... ) == 0x0
 00753   472   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00754   472   NtClose  (100, ... ) == 0x0
 00755   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00756   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00757   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00758   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00759   472   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00760   472   NtClose  (100, ... ) == 0x0
 00761   472   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00762   472   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 108, ) }, ... 108, ) == 0x0
 00763   472   NtQueryValueKey  (108,  (108, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00764   472   NtClose  (108, ... ) == 0x0
 00765   472   NtClose  (100, ... ) == 0x0
 00766   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00767   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 100, ) == 0x0
 00768   472   NtQueryInformationToken  (100, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00769   472   NtClose  (100, ... ) == 0x0
 00770   472   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 100, ) }, ... 100, ) == 0x0
 00771   472   NtOpenKey  (0x1, {24, 100, 0x40, 0, 0,  (0x1, {24, 100, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00772   472   NtQueryValueKey  (108,  (108, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773   472   NtClose  (108, ... ) == 0x0
 00774   472   NtClose  (100, ... ) == 0x0
 00775   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00776   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00777   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233240, ... ) }, 1233240, ... ) == 0x0
 00778   472   NtUserGetProcessWindowStation  (... ) == 0x28
 00779   472   NtUserGetObjectInformation  (40, 2, 0, 0, 1235536, ... ) == 0x0
 00780   472   NtUserGetObjectInformation  (40, 2, 1376336, 16, 1235536, ... ) == 0x1
 00781   472   NtUserGetGUIThreadInfo  (472, 1235492, ... ) == 0x1
 00782   472   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235312, 64, ... 100, 0x0, 0x0, 0x0, 64, ) == 0x0
 00783   472   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 472, 1557, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1557, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00784   472   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1558, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 472, 1558, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1558, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00785   472   NtUserCallNoParam  (29, ...
 00786   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232784, ... ) }, 1232784, ... ) == 0x0
 00785   472   NtUserCallNoParam  ... ) == 0x0
 00787   472   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00788   472   NtGdiHfontCreate  (1234864, 356, 0, 0, 1348296, ... ) == 0xc0a03e5
 00789   472   NtGdiHfontCreate  (1234864, 356, 0, 0, 1348288, ... ) == 0x90a03f1
 00790   472   NtRequestWaitReplyPort  (100, {32, 56, new_msg, 0, 0, 0, 0, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1559, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 440, 472, 1559, 0}  (100, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 440, 472, 1559, 0} "\0\0\0\0\0\0\0\0l\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00791   472   NtMapViewOfSection  (108, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x9b0000), {0, 0}, 331776, ) == 0x0
 00792   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00793   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00794   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00795   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00796   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00797   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00798   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00799   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00800   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00801   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00802   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00803   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00804   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00805   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00806   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00807   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00808   472   NtUserGetWindowDC  (0, ... ) == 0x1010054
 00809   472   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x41003df
 00810   472   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00811   472   NtUserCallNoParam  (29, ...
 00812   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232228, ... ) }, 1232228, ... ) == 0x0
 00811   472   NtUserCallNoParam  ... ) == 0x0
 00813   472   NtUserCallNoParam  (29, ...
 00814   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232224, ... ) }, 1232224, ... ) == 0x0
 00813   472   NtUserCallNoParam  ... ) == 0x0
 00815   472   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12db68, 0, 670, 0, ... ) == 0x1
 00816   472   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12db90, 0, 670, 0, ... ) == 0x0
 00817   472   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00739   472   NtUserCreateWindowEx  ... ) == 0x200b2
 00818   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337\364\246b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00819   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00820   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00821   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00822   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00823   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00824   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00825   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00826   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00827   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\306\360\\24\236\354\241\0\31\11\252Q<\214pq\272\313\365\357T:\307"\257\365rXo\36z\346$Z\356\2010\265!\365\12\232\226M\3701\3\2232Q\273\26\37\235\242\335F\264\216\3402\371\347J\267\277\337_\246$\\12@0\350G\276\304\235\216", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\306\360\\24\236\354\241\0\31\11\252Q<\214pq\272\313\365\357T:\307"\257\365rXo\36z\346$Z\356\2010\265!\365\12\232\226M\3701\3\2232Q\273\26\37\235\242\335F\264\216\3402\371\347J\267\277\337_\246$\\12@0\350G\276\304\235\216", 80, ... ) \257\365rXo\36z\346$Z\356\2010\265!\365\12\232\226M\3701\3\2232Q\273\26\37\235\242\335F\264\216\3402\371\347J\267\277\337_\246$\\12@0\350G\276\304\235\216", 80, ... ) == 0x0
 00828   472   NtClose  (-2147482208, ... ) == 0x0
 00818   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\311\362\221\34\210Y\302aFk\317\30R\2064ex8i\245\234#!\327s\3166F\254\343\351\211\224\232\366c\253\323\356V\261s\347\327]\262wIt\343\231E\7\314U\30\10\341\373\31\25\206+\215\367"\1\231\357]k\352\367E\351d\373C\302\32\304\250\24\300\230\331\247\240\211\304\270k\10\245?a\335(\261\2764\4\275U\37I\346\314/\250\17\6\240LC\375\ma3\20i\243\241h7\205y\315qyHk&\177yn+\2430I\202\14Ou\346\314\213?fQ\236V\340\332nj\264G\212l\300\345\320\339h"\334||\274\37}\2646Q\211\22\332F]\340\2546 \236*\255\222\324\34\5_\246\223\216\276\357\355\36\341\32<\235\310\275\252\312:y\276\240?\250MD\2572kJ\226\26]\31l\179[\260\326\356\310\233\240\203\316  D`B?a\363\344\322k\13\250\342\17A\7\27", ) \1\231\357]k\352\367E\351d\373C\302\32\304\250\24\300\230\331\247\240\211\304\270k\10\245?a\335(\261\2764\4\275U\37I\346\314/\250\17\6\240LC\375\ma3\20i\243\241h7\205y\315qyHk&\177yn+\2430I\202\14Ou\346\314\213?fQ\236V\340\332nj\264G\212l\300\345\320\339h ... {status=0x0, info=256}, "\311\362\221\34\210Y\302aFk\317\30R\2064ex8i\245\234#!\327s\3166F\254\343\351\211\224\232\366c\253\323\356V\261s\347\327]\262wIt\343\231E\7\314U\30\10\341\373\31\25\206+\215\367"\1\231\357]k\352\367E\351d\373C\302\32\304\250\24\300\230\331\247\240\211\304\270k\10\245?a\335(\261\2764\4\275U\37I\346\314/\250\17\6\240LC\375\ma3\20i\243\241h7\205y\315qyHk&\177yn+\2430I\202\14Ou\346\314\213?fQ\236V\340\332nj\264G\212l\300\345\320\339h"\334||\274\37}\2646Q\211\22\332F]\340\2546 \236*\255\222\324\34\5_\246\223\216\276\357\355\36\341\32<\235\310\275\252\312:y\276\240?\250MD\2572kJ\226\26]\31l\179[\260\326\356\310\233\240\203\316  D`B?a\363\344\322k\13\250\342\17A\7\27", ) , ) == 0x0
 00829   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00830   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00831   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00832   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00833   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00834   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00835   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00836   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00837   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00838   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, ",\264#\26\332\261\304\340\365Nu'Z\37\271\355p\347\26}\230\347\221)te#\311V\205K\315\24\303\274\370\301\307V\341W\374\374n\320\262\364?\366\246\6:\267\337\240]M\271\355U\22\20{\372\271\320\254yh\311\374K)l\271\254\311M\312|", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, ",\264#\26\332\261\304\340\365Nu'Z\37\271\355p\347\26}\230\347\221)te#\311V\205K\315\24\303\274\370\301\307V\341W\374\374n\320\262\364?\366\246\6:\267\337\240]M\271\355U\22\20{\372\271\320\254yh\311\374K)l\271\254\311M\312|", 80, ... ) , 80, ... ) == 0x0
 00839   472   NtClose  (-2147482208, ... ) == 0x0
 00829   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\370\370Qu?\316\355qv\271\375`\26"\206u\372dXd\23\21\372]m\214\6 \276\343\204\331\375;C*\16"\13\373ux8\275m\346\11\32i\267\265\276\11_V\305\201\1F\357u\237\220\377\5\333e\5S_\213:$\265.I\345\335\362\370r\210\252\345\366\212\231\214\330\312n@\33:_*\6\342M6y\216\214M\27\314\4C\205\13\203\341W;\245[\225\351_\266\207\204\266t\351\37\254q\202\252\221R\346\352jK\307\214Eti\213<\243;\345"\254u\33Q\26\353\375%N3\374O\306\274\263\1\350\352{\205c;\357L\372\314OS\250\202\262p\235\345P\245 \375\271q\346\320\227\5\203L\355\231VG\267\223\3\216=\366vJ\3307\221\220&\201\326\335\272\367\200\24D\2169\253\365\371\252\255\366\205=34\363\205\265\3362A\341\350\272\354\202\307\304\240%\12I\321\207\12\26u\206\226\217Q", ) \206u\372dXd\23\21\372]m\214\6 \276\343\204\331\375;C*\16 ... {status=0x0, info=256}, "\370\370Qu?\316\355qv\271\375`\26"\206u\372dXd\23\21\372]m\214\6 \276\343\204\331\375;C*\16"\13\373ux8\275m\346\11\32i\267\265\276\11_V\305\201\1F\357u\237\220\377\5\333e\5S_\213:$\265.I\345\335\362\370r\210\252\345\366\212\231\214\330\312n@\33:_*\6\342M6y\216\214M\27\314\4C\205\13\203\341W;\245[\225\351_\266\207\204\266t\351\37\254q\202\252\221R\346\352jK\307\214Eti\213<\243;\345"\254u\33Q\26\353\375%N3\374O\306\274\263\1\350\352{\205c;\357L\372\314OS\250\202\262p\235\345P\245 \375\271q\346\320\227\5\203L\355\231VG\267\223\3\216=\366vJ\3307\221\220&\201\326\335\272\367\200\24D\2169\253\365\371\252\255\366\205=34\363\205\265\3362A\341\350\272\354\202\307\304\240%\12I\321\207\12\26u\206\226\217Q", ) \254u\33Q\26\353\375%N3\374O\306\274\263\1\350\352{\205c;\357L\372\314OS\250\202\262p\235\345P\245 \375\271q\346\320\227\5\203L\355\231VG\267\223\3\216=\366vJ\3307\221\220&\201\326\335\272\367\200\24D\2169\253\365\371\252\255\366\205=34\363\205\265\3362A\341\350\272\354\202\307\304\240%\12I\321\207\12\26u\206\226\217Q", ) == 0x0
 00840   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I#kQ\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00841   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00842   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00843   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00844   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00845   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00846   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00847   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00848   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00849   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\362\2\201\13\311\306\310\206\341J\x\340\241\361\367m\255y\16\33\370\364\212M\244\305\246\254/\362<\306\375\235\312\267V\256\245a\341\301\334{\346\352\214\350\15\204S\256\315Km&xuP\254\341\177\33\230\235SJ\35\353\275\330\250!\232\371\255\375e", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\362\2\201\13\311\306\310\206\341J\x\340\241\361\367m\255y\16\33\370\364\212M\244\305\246\254/\362<\306\375\235\312\267V\256\245a\341\301\334{\346\352\214\350\15\204S\256\315Km&xuP\254\341\177\33\230\235SJ\35\353\275\330\250!\232\371\255\375e", 80, ... ) , 80, ... ) == 0x0
 00850   472   NtClose  (-2147482208, ... ) == 0x0
 00840   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\0\376\200\335\326\6\25\320\213\267\343\206\24\313\362>\10\37\207\211\0sP\3076b\21'\177\372\214\224\253V\355}UTh\253\32J\232\0\316\303h\32T\346\253!z\344\33\376\36=w\315>\264\343\341\363\350\301\262\343'\4\337\252\224\23\277b\247\2\13\306\216\343\31~\376^\345,\371\332t\210z\21\317\14s\266\257<_F\221X\252\1\2217\211\10l9\221"\236\2610\355_)\345\314{\300k\\313\317P\332\11{w\233\225\252\35\341\237\4\306\223\225\24\306%$\302g7\346\274\270\362|\2\323\205$is\2050j\5\263\25E=\315\212O\311w\21\341A\336|\227\374\274N\373\3026$\310\303\27`x\341y\374\226\250\326\306p\375^ \16\274\235O\353\2503\370\274.\37\177\230P \331\252\31\254\222{\313\310wh \30z\256\310\253\335\360\211\215\33\236pv\261\33RXTO\243\11\3\31236\2610\355_)\345\314{\300k\\313\317P\332\11{w\233\225\252\35\341\237\4\306\223\225\24\306%$\302g7\346\274\270\362|\2\323\205$is\2050j\5\263\25E=\315\212O\311w\21\341A\336|\227\374\274N\373\3026$\310\303\27`x\341y\374\226\250\326\306p\375^ \16\274\235O\353\2503\370\274.\37\177\230P \331\252\31\254\222{\313\310wh \30z\256\310\253\335\360\211\215\33\236pv\261\33RXTO\243\11\3\31360", ) == 0x0
 00851   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I#kQ\212:\304I#kQ\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00852   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00853   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00854   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00855   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00856   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00857   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00858   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00859   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00860   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\260\244\247.\306\303G\357S\231\203h\300\260\252\252m\311\362*2*\363\226\14\370L\373\360W\10\377\261\242\311a\0\14\306I\374\216>\342\310K/\345\325\214\335\341(_\327|h\314\207'N\307u\30\224=j\351\264U\216\24\234ml(\205&\217\14", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\260\244\247.\306\303G\357S\231\203h\300\260\252\252m\311\362*2*\363\226\14\370L\373\360W\10\377\261\242\311a\0\14\306I\374\216>\342\310K/\345\325\214\335\341(_\327|h\314\207'N\307u\30\224=j\351\264U\216\24\234ml(\205&\217\14", 80, ... ) , 80, ... ) == 0x0
 00861   472   NtClose  (-2147482208, ... ) == 0x0
 00851   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "]#\230\2qR\12kZ \205\14\233\265\247^\276'Y\277"\261\305B\17\352\203\217\257U\17\344[z\367\320\7\205BI\371X\376-\225\235\264[o\261B\301\242\2648Vk\230\332,\353\6\322\353B\241xK\362\357C\2\365\1\3050\1\330m\300p+\263\241$\275R1\3571\206\240;\241oy*\340e\221\10\24\206 \361\321\300\22O\0\U\15l\346\347\4\264{\300\177t\5\302\248V\266\374\261e\251D\221w\222\213\307\236\306K\330\224\236?9\204\301[\372\340\304\373\240\16\253\37)\211[\27z\367\202\271\252?BK\33\345\375\277>0\340\257\27\2579\305b\345\265\254\131m5\245\267\231\26\3236\366\375\3479\206\216\314W\315}\201G\304\363\362x\275\25\327\370Z\36\251", ) R\12kZ \205\14\233\265\247^\276'Y\277 ... {status=0x0, info=256}, "]#\230\2qR\12kZ \205\14\233\265\247^\276'Y\277"\261\305B\17\352\203\217\257U\17\344[z\367\320\7\205BI\371X\376-\225\235\264[o\261B\301\242\2648Vk\230\332,\353\6\322\353B\241xK\362\357C\2\365\1\3050\1\330m\300p+\263\241$\275R1\3571\206\240;\241oy*\340e\221\10\24\206 \361\321\300\22O\0\U\15l\346\347\4\264{\300\177t\5\302\248V\266\374\261e\251D\221w\222\213\307\236\306K\330\224\236?9\204\301[\372\340\304\373\240\16\253\37)\211[\27z\367\202\271\252?BK\33\345\375\277>0\340\257\27\2579\305b\345\265\254\131m5\245\267\231\26\3236\366\375\3479\206\216\314W\315}\201G\304\363\362x\275\25\327\370Z\36\251", ) , ) == 0x0
 00862   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00863   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00864   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00865   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00866   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00867   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00868   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00869   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00870   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00871   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\366lY\212,\236\265\240u:\227\232\312\11\273u\274N\223h\231Q"; vys\10\367\15\201\376\234\34324\344\364\272}\375\362hE\0\274$\210W\214\271\217\230e\27y\315\261\353G\233e4UZa\207\324\35;)\344r\261\31\373XQ", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\366lY\212,\236\265\240u:\227\232\312\11\273u\274N\223h\231Q"; vys\10\367\15\201\376\234\34324\344\364\272}\375\362hE\0\274$\210W\214\271\217\230e\27y\315\261\353G\233e4UZa\207\324\35;)\344r\261\31\373XQ", 80, ... ) ; vys\10\367\15\201\376\234\34324\344\364\272}\375\362hE\0\274$\210W\214\271\217\230e\27y\315\261\353G\233e4UZa\207\324\35;)\344r\261\31\373XQ", 80, ... ) == 0x0
 00872   472   NtClose  (-2147482208, ... ) == 0x0
 00862   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "x&E\371\236\260\354\15)\362\233M\224\234.\317\266\301\235\21u"\203I\306\16\256\257\240V\355B\317X\204\5\211\217|\211\371$\210&\354\11H?\364c@\306U\356{\27\223\372\313\224\237\32\276\352\2459\211\257\17E\244\307(\327\220\3\3i\36\216\234\354\240\4(\210C\243\11l\307\254\310R2\336lt\376P=\242Z :\365\225ND`\367ye\344i\254\302@m\15b\231\302RX\377\3\261\16\223\236\243\342\314\375\261\203\3318\177L\321\265\316=\375.\356G\2130>Zc\372\344\352\224\215\314\317\335\0\254\4\10\273Q\330@\246\240&f\270d8\246\260\260\244Q?M\214\32\305\362\302\310\220\277y\240\303K\335\265\270\333\305$\247[\220\246l\240\241\357$NP\355\276\317/\207\263Z\252\241\222\213\210\337\12@\215\317j6D\345\234)\200x\241\177\255{|,\373\330\4\7\307\24\30R\17\276w", ) \203I\306\16\256\257\240V\355B\317X\204\5\211\217|\211\371$\210&\354\11H?\364c@\306U\356{\27\223\372\313\224\237\32\276\352\2459\211\257\17E\244\307(\327\220\3\3i\36\216\234\354\240\4(\210C\243\11l\307\254\310R2\336lt\376P=\242Z :\365\225ND`\367ye\344i\254\302@m\15b\231\302RX\377\3\261\16\223\236\243\342\314\375\261\203\3318\177L\321\265\316=\375.\356G\2130>Zc\372\344\352\224\215\314\317\335\0\254\4\10\273Q\330@\246\240&f\270d8\246\260\260\244Q?M\214\32\305\362\302\310\220\277y\240\303K\335\265\270\333\305$\247[\220\246l\240\241\357$NP\355\276\317/\207\263Z\252\241\222\213\210\337\12@\215\317j6D\345\234)\200x\241\177\255{|,\373\330\4\7\307\24\30R\17\276w", ) == 0x0
 00873   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00874   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00875   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00876   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00877   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00878   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00879   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00880   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00881   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00882   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\211f\35`M\214\203\370;!\310\303\243\320\375\273\316\374\{H\16)A\254\346`\257\352\236[\213fn\306\321\216\223\250\275\275\326,\5\236l\330mQ@\250\342\34L>\2528\26\262\274\138\366e\0\252\242`d[\24\264p\202m\270\32\227\315\240", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\211f\35`M\214\203\370;!\310\303\243\320\375\273\316\374\{H\16)A\254\346`\257\352\236[\213fn\306\321\216\223\250\275\275\326,\5\236l\330mQ@\250\342\34L>\2528\26\262\274\138\366e\0\252\242`d[\24\264p\202m\270\32\227\315\240", 80, ... ) , 80, ... ) == 0x0
 00883   472   NtClose  (-2147482208, ... ) == 0x0
 00873   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "7b\276\316\5\20\4]w\14\14\334\210\10J^V\325\350\250*_Qg\355G\365=\377\207e\331\354\246TgW\236\357\367q\370\354\206\24\137\327\362Ha\360\302\36\2433\372\345\267\205\252A]\333\240\254\205T\342\375\234\335\353\260\207\343\356\344J\354,\245k\32d\227x\2431dZ\322;\220\3208\247\324\210n\341\303\212\212O\27\27\271\271h\216\261\31W\3121\271\.\305f;T\216\240l(\231\276\200\326\202xi]\334\303\317K%\217LWWv^\27\216\30\310'\212\363g\350J\364\325O}\260\355\313dV\365h\15=\362\14\245v\324\375scr\21S,\3639\204\232;=\230\21Y\260f\211\351\265\266^k"eFN=\373\255\1\246\276\256\322&\255\263d/\242\235\261\261f\256\11\10yf\357i\266\366[n\253\336%\237\340\23\235\30\335(P\263\257\245\377\323WWNt\33H\231t\221", ) eFN=\373\255\1\246\276\256\322&\255\263d/\242\235\261\261f\256\11\10yf\357i\266\366[n\253\336%\237\340\23\235\30\335(P\263\257\245\377\323WWNt\33H\231t\221", ) == 0x0
 00884   472   NtDeviceIoControlFile  (104, 0, 0x0, 0x0, 0x390008,  (104, 0, 0x0, 0x0, 0x390008, "\243\372\3655\3\361\303\232\235k\250(\250\337V\330Q\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I#kQ\212:\304I\201\25b\177yqB\235/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 00885   472   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00886   472   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00887   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00888   472   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00889   472   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00890   472   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00891   472   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00892   472   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482208, 2, ) }, 0, 0x0, 0, ... -2147482208, 2, ) == 0x0
 00893   472   NtSetValueKey  (-2147482208,  (-2147482208, "Seed", 0, 3, "\367\R)\2\257\341\313\0\232\243\357zD\204\206\25~\7\210?\360", 80, ... ) , 0, 3,  (-2147482208, "Seed", 0, 3, "\367\R)\2\257\341\313\0\232\243\357zD\204\206\25~\7\210?\360", 80, ... ) , 80, ... ) == 0x0
 00894   472   NtClose  (-2147482208, ... ) == 0x0
 00884   472   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\30\340\366\331\322\22\244\301A\326 ^\3256\210\314\262)\2277\5\212\257'\23\2676-\366{E\357\200\266uF=\313C\325t\277\334\202\11\31\2\10\25\225hQ2J\220\227\345fCf\303\317\314\3021\340\323\36\221\316D8,\212$H\2652\204\200\272\10\25\331\367\214\345\330\247K=\26\264\365\205]\25tN\333\310\16\222\206\250z\202\177\264<\311F_?j@`\306M\203\342\216\316\343\377\237\2&2\205R\0\371\310\376U^\272\367\235\33\327C\4%\330\322\225c\230\275LY\205\236?\n\2631"\324\360\332kzDUJ\352\27\307\222\323_H\21\34\7Q \304[k#l\224~\230/\355\362U3\261\267\326\201Gk!\303\363g\376\276\205\2Y6\355\265\334\314I\11\366\252\257\324\245}\215U\213\12\325x\321\221\366\334\23\303a\351\317\376P\332\336\233\336\312\222\275\260\240\260g\234\354\314\245", ) \324\360\332kzDUJ\352\27\307\222\323_H\21\34\7Q \304[k#l\224~\230/\355\362U3\261\267\326\201Gk!\303\363g\376\276\205\2Y6\355\265\334\314I\11\366\252\257\324\245}\215U\213\12\325x\321\221\366\334\23\303a\351\317\376P\332\336\233\336\312\222\275\260\240\260g\234\354\314\245", ) == 0x0
 00895   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 112, ) }, ... 112, ) == 0x0
 00896   472   NtQueryValueKey  (112,  (112, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 00898   472   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00899   472   NtClose  (116, ... ) == 0x0
 00900   472   NtClose  (112, ... ) == 0x0
 00901   472   NtAllocateVirtualMemory  (-1, 1380352, 0, 24576, 4096, 4, ... 1380352, 24576, ) == 0x0
 00902   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235296, ... ) }, 1235296, ... ) == 0x0
 00906   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00907   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 116, ) == 0x0
 00908   472   NtQuerySection  (116, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   472   NtClose  (112, ... ) == 0x0
 00910   472   NtMapViewOfSection  (116, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 00911   472   NtClose  (116, ... ) == 0x0
 00912   472   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00914   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 116, ) }, ... 116, ) == 0x0
 00915   472   NtQueryValueKey  (116,  (116, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916   472   NtClose  (116, ... ) == 0x0
 00917   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 00919   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 112, ) == 0x0
 00920   472   NtQuerySystemTime  (... {-2021802140, 29868089}, ) == 0x0
 00921   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 120, ) == 0x0
 00922   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   472   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00924   472   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00925   472   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00926   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 00927   472   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 128, ) == 0x0
 00928   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 132, ) }, ... 132, ) == 0x0
 00929   472   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "ActiveComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 00930   472   NtQueryValueKey  (136,  (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (136, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 00931   472   NtClose  (136, ... ) == 0x0
 00932   472   NtClose  (132, ... ) == 0x0
 00933   472   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 132, ) == 0x0
 00934   472   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 136, ) == 0x0
 00935   472   NtDuplicateObject  (-1, 132, -1, 0x0, 0, 2, ... 140, ) == 0x0
 00936   472   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00937   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00938   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 144, ) == 0x0
 00939   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00940   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00941   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235664,  (0xc0100080, {24, 0, 0x40, 0, 1235664, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 148, {status=0x0, info=1}, ) == 0x0
 00942   472   NtSetInformationFile  (148, 1235720, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 00943   472   NtSetInformationFile  (148, 1235712, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 00944   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 00945   472   NtWriteFile  (148, 125, 0, 0,  (148, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 00946   472   NtReadFile  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (148, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237 \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 00947   472   NtFsControlFile  (148, 125, 0x0, 0x0, 0x11c017,  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237 \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (148, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\237 \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 00948   472   NtClose  (144, ... ) == 0x0
 00949   472   NtClose  (148, ... ) == 0x0
 00950   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235708, ... ) }, 1235708, ... ) == 0x0
 00951   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00952   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00953   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235528, ... ) }, 1235528, ... ) == 0x0
 00954   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 00955   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 00956   472   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00957   472   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1409304, 0,  (0x1f0003, {24, 52, 0x80, 1409304, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 148, ) }, 0, 2147483647, ... 148, ) == STATUS_OBJECT_NAME_EXISTS
 00958   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00959   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00960   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00962   472   NtQueryValueKey  (144,  (144, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00963   472   NtClose  (144, ... ) == 0x0
 00964   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00965   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00966   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00967   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00968   472   NtQueryValueKey  (144,  (144, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969   472   NtClose  (144, ... ) == 0x0
 00970   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00971   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00972   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00973   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00974   472   NtQueryValueKey  (144,  (144, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00975   472   NtClose  (144, ... ) == 0x0
 00976   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00977   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00978   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00979   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00980   472   NtQueryValueKey  (144,  (144, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00981   472   NtClose  (144, ... ) == 0x0
 00982   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00983   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00984   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00985   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00986   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00987   472   NtQueryValueKey  (144,  (144, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00988   472   NtClose  (144, ... ) == 0x0
 00989   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 00990   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 00991   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00992   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 144, ) }, ... 144, ) == 0x0
 00993   472   NtQueryValueKey  (144,  (144, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00994   472   NtClose  (144, ... ) == 0x0
 00995   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00996   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 144, ) == 0x0
 00997   472   NtQueryInformationToken  (144, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00998   472   NtClose  (144, ... ) == 0x0
 00999   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 144, ) }, ... 144, ) == 0x0
 01000   472   NtSetInformationObject  (146, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01001   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01002   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01003   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 152, ) }, ... 152, ) == 0x0
 01004   472   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01005   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01006   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01007   472   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01008   472   NtClose  (156, ... ) == 0x0
 01009   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01010   472   NtQueryValueKey  (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (154, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01011   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233436, ... ) }, 1233436, ... ) == 0x0
 01012   472   NtClose  (154, ... ) == 0x0
 01013   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01014   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01015   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 152, ) }, ... 152, ) == 0x0
 01016   472   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 01017   472   NtQueryKey  (154, Name, 392, ... {Name= (154, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01018   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01019   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 156, ) == 0x0
 01020   472   NtQueryInformationToken  (156, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01021   472   NtClose  (156, ... ) == 0x0
 01022   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01023   472   NtEnumerateKey  (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (154, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01024   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01025   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01026   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 156, ) }, ... 156, ) == 0x0
 01027   472   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01028   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01029   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01030   472   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01031   472   NtClose  (160, ... ) == 0x0
 01032   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01033   472   NtQueryValueKey  (158,  (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (158, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01034   472   NtClose  (158, ... ) == 0x0
 01035   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01036   472   NtEnumerateKey  (154, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01037   472   NtClose  (154, ... ) == 0x0
 01038   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01039   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 152, ) }, ... 152, ) == 0x0
 01040   472   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "FileExts"}, ... 156, ) }, ... 156, ) == 0x0
 01041   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01042   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01043   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01044   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01045   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01046   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 160, ) }, ... 160, ) == 0x0
 01047   472   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01048   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01049   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01050   472   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01051   472   NtClose  (164, ... ) == 0x0
 01052   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01053   472   NtQueryValueKey  (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (162, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01054   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01055   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01056   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 164, ) }, ... 164, ) == 0x0
 01057   472   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01058   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01059   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01060   472   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01061   472   NtClose  (168, ... ) == 0x0
 01062   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01063   472   NtOpenKey  (0x1, {24, 166, 0x40, 0, 0,  (0x1, {24, 166, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01064   472   NtQueryKey  (166, Name, 384, ... {Name= (166, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01065   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01066   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01067   472   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01068   472   NtClose  (168, ... ) == 0x0
 01069   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01070   472   NtOpenKey  (0x2000000, {24, 166, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 01071   472   NtClose  (166, ... ) == 0x0
 01072   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01073   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01074   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01076   472   NtQueryValueKey  (164,  (164, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   472   NtClose  (164, ... ) == 0x0
 01078   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01079   472   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0, ""}, ... 164, ) == 0x0
 01080   472   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01081   472   NtQueryValueKey  (164,  (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (164, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01082   472   NtClose  (164, ... ) == 0x0
 01083   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01084   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01085   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01086   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01087   472   NtQueryValueKey  (164,  (164, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01088   472   NtClose  (164, ... ) == 0x0
 01089   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01090   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01091   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01092   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01093   472   NtQueryValueKey  (164,  (164, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01094   472   NtClose  (164, ... ) == 0x0
 01095   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01096   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01097   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01099   472   NtQueryValueKey  (164,  (164, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01100   472   NtClose  (164, ... ) == 0x0
 01101   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01102   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01103   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01104   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01105   472   NtQueryValueKey  (164,  (164, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01106   472   NtClose  (164, ... ) == 0x0
 01107   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01108   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01109   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01110   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01111   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01112   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01113   472   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01114   472   NtClose  (164, ... ) == 0x0
 01115   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01116   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01117   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01118   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01119   472   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01120   472   NtClose  (164, ... ) == 0x0
 01121   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01122   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01123   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 164, ) }, ... 164, ) == 0x0
 01125   472   NtQueryValueKey  (164,  (164, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01126   472   NtClose  (164, ... ) == 0x0
 01127   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01128   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01129   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01130   472   NtOpenKey  (0x2000000, {24, 152, 0x40, 0, 0,  (0x2000000, {24, 152, 0x40, 0, 0, "Advanced"}, ... 164, ) }, ... 164, ) == 0x0
 01131   472   NtQueryValueKey  (164,  (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01132   472   NtQueryValueKey  (164,  (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01133   472   NtQueryValueKey  (164,  (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01134   472   NtQueryValueKey  (164,  (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01135   472   NtQueryValueKey  (164,  (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01136   472   NtQueryValueKey  (164,  (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01137   472   NtQueryValueKey  (164,  (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01138   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01139   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01140   472   NtQueryValueKey  (164,  (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01141   472   NtQueryValueKey  (164,  (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01142   472   NtQueryValueKey  (164,  (164, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   472   NtQueryValueKey  (164,  (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (164, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01144   472   NtQueryValueKey  (164,  (164, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01145   472   NtClose  (164, ... ) == 0x0
 01146   472   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1409304, 0,  (0x1f0003, {24, 52, 0x80, 1409304, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 164, ) }, 0, 2147483647, ... 164, ) == STATUS_OBJECT_NAME_EXISTS
 01147   472   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01148   472   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01149   472   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01150   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01151   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01152   472   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01153   472   NtClose  (172, ... ) == 0x0
 01154   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   472   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01157   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01160   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 172, ) }, ... 172, ) == 0x0
 01162   472   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01163   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01164   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01165   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01166   472   NtClose  (176, ... ) == 0x0
 01167   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   472   NtQueryValueKey  (174,  (174, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   472   NtClose  (174, ... ) == 0x0
 01170   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01171   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01172   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01173   472   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01174   472   NtClose  (172, ... ) == 0x0
 01175   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   472   NtQueryValueKey  (170,  (170, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01178   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01179   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01180   472   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01181   472   NtClose  (172, ... ) == 0x0
 01182   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   472   NtQueryValueKey  (170,  (170, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   472   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01185   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01186   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01187   472   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01188   472   NtClose  (172, ... ) == 0x0
 01189   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   472   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01192   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 172, ) }, ... 172, ) == 0x0
 01194   472   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01195   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01196   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01197   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01198   472   NtClose  (176, ... ) == 0x0
 01199   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   472   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01202   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01203   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01204   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01205   472   NtClose  (176, ... ) == 0x0
 01206   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   472   NtQueryValueKey  (170,  (170, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01209   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01210   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01211   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01212   472   NtClose  (176, ... ) == 0x0
 01213   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   472   NtQueryValueKey  (170,  (170, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   472   NtQueryKey  (170, Name, 392, ... {Name= (170, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01216   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01217   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01218   472   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01219   472   NtClose  (176, ... ) == 0x0
 01220   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   472   NtQueryValueKey  (170,  (170, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   472   NtClose  (162, ... ) == 0x0
 01223   472   NtClose  (170, ... ) == 0x0
 01224   472   NtClose  (174, ... ) == 0x0
 01225   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01226   472   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1409304, 0,  (0x1f0003, {24, 52, 0x80, 1409304, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 172, ) }, 0, 2147483647, ... 172, ) == STATUS_OBJECT_NAME_EXISTS
 01227   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01228   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01229   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01230   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01231   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01232   472   NtQueryValueKey  (168,  (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01233   472   NtClose  (168, ... ) == 0x0
 01234   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01235   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 168, 2, ) }, 0, 0x0, 0, ... 168, 2, ) == 0x0
 01236   472   NtSetValueKey  (168,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (168, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01237   472   NtClose  (168, ... ) == 0x0
 01238   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01239   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01240   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 160, ) == 0x0
 01241   472   NtClose  (168, ... ) == 0x0
 01242   472   NtMapViewOfSection  (160, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 262144, ) == 0x0
 01243   472   NtClose  (160, ... ) == 0x0
 01244   472   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 01245   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01246   472   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   472   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233648, ... ) }, 1233648, ... ) == 0x0
 01251   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 160, {status=0x0, info=1}, ) }, 5, 96, ... 160, {status=0x0, info=1}, ) == 0x0
 01252   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 160, ... 168, ) == 0x0
 01253   472   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01254   472   NtClose  (160, ... ) == 0x0
 01255   472   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01256   472   NtClose  (168, ... ) == 0x0
 01257   472   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 01258   472   NtQueryDefaultLocale  (1, 1233480, ... ) == 0x0
 01259   472   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01260   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01261   472   NtQueryValueKey  (168,  (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01262   472   NtClose  (168, ... ) == 0x0
 01263   472   NtUserGetProcessWindowStation  (... ) == 0x28
 01264   472   NtUserGetObjectInformation  (40, 1, 1233152, 12, 1233164, ... ) == 0x1
 01265   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 168, ) }, ... 168, ) == 0x0
 01266   472   NtQueryValueKey  (168,  (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01267   472   NtClose  (168, ... ) == 0x0
 01268   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01269   472   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01270   472   NtQueryValueKey  (168,  (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01271   472   NtClose  (168, ... ) == 0x0
 01272   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01273   472   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01274   472   NtQueryValueKey  (168,  (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01275   472   NtClose  (168, ... ) == 0x0
 01276   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01277   472   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01278   472   NtQueryValueKey  (168,  (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01279   472   NtClose  (168, ... ) == 0x0
 01280   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01281   472   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01282   472   NtQueryValueKey  (168,  (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (168, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01283   472   NtClose  (168, ... ) == 0x0
 01284   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 168, ) }, ... 168, ) == 0x0
 01285   472   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01286   472   NtQueryValueKey  (168,  (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01287   472   NtClose  (168, ... ) == 0x0
 01288   472   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ... 1417216, 4096, ) == 0x0
 01289   472   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 168, ) }, ... 168, ) == 0x0
 01290   472   NtQueryValueKey  (168,  (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (168, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01291   472   NtClose  (168, ... ) == 0x0
 01292   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 168, ) == 0x0
 01293   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 160, ) == 0x0
 01294   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 176, ) == 0x0
 01295   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 180, ) == 0x0
 01296   472   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 184, ) == 0x0
 01297   472   NtCreateMutant  (0x1f0001, 0x0, 0, ... 188, ) == 0x0
 01298   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01299   472   NtQueryValueKey  (192,  (192, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   472   NtQueryValueKey  (192,  (192, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   472   NtOpenKey  (0x1, {24, 192, 0x40, 0, 0,  (0x1, {24, 192, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   472   NtClose  (192, ... ) == 0x0
 01303   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233072, ... ) }, 1233072, ... ) == 0x0
 01304   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 192, ) }, ... 192, ) == 0x0
 01305   472   NtQueryValueKey  (192,  (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (192, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01306   472   NtClose  (192, ... ) == 0x0
 01307   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01308   472   NtQueryValueKey  (192,  (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (192, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01309   472   NtClose  (192, ... ) == 0x0
 01310   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 192, ) }, ... 192, ) == 0x0
 01312   472   NtQueryValueKey  (192,  (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (192, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01313   472   NtClose  (192, ... ) == 0x0
 01314   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01315   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01316   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01317   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01318   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01319   472   NtSetInformationFile  (196, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01320   472   NtSetInformationFile  (196, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01321   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01322   472   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01323   472   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01324   472   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\261\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01325   472   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01326   472   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\24|\5\301,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01327   472   NtClose  (192, ... ) == 0x0
 01328   472   NtClose  (196, ... ) == 0x0
 01329   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01330   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01331   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01332   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01333   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233852,  (0xc0100080, {24, 0, 0x40, 0, 1233852, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 01334   472   NtSetInformationFile  (192, 1233908, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01335   472   NtSetInformationFile  (192, 1233900, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01336   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01337   472   NtWriteFile  (192, 125, 0, 0,  (192, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01338   472   NtReadFile  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (192, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\262\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01339   472   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\262\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0t\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\262\35\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01340   472   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01341   472   NtFsControlFile  (192, 125, 0x0, 0x0, 0x11c017,  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (192, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\25|\5\301,,\334\21\261\306\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01342   472   NtClose  (196, ... ) == 0x0
 01343   472   NtClose  (192, ... ) == 0x0
 01344   472   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01345   472   NtOpenProcessToken  (-1, 0x20, ... 192, ) == 0x0
 01346   472   NtAdjustPrivilegesToken  (192, 0, 1417440, 0, 0, 0, ... ) == 0x0
 01347   472   NtClose  (192, ... ) == 0x0
 01348   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01349   472   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 192, ) == 0x0
 01350   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01351   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01352   472   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234092,  (0xc0100080, {24, 0, 0x40, 0, 1234092, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01353   472   NtSetInformationFile  (196, 1234148, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01354   472   NtSetInformationFile  (196, 1234140, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01355   472   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01356   472   NtWriteFile  (196, 125, 0, 0,  (196, 125, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01357   472   NtReadFile  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 125, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01358   472   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E\37\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01359   472   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01360   472   NtOpenProcessToken  (-1, 0x20, ... 200, ) == 0x0
 01361   472   NtAdjustPrivilegesToken  (200, 0, 1417520, 0, 0, 0, ... ) == 0x0
 01362   472   NtClose  (200, ... ) == 0x0
 01363   472   NtFsControlFile  (196, 125, 0x0, 0x0, 0x11c017,  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (196, 125, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01364   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01365   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01366   472   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01367   472   NtClose  (204, ... ) == 0x0
 01368   472   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01369   472   NtClose  (200, ... ) == 0x0
 01370   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=1}, ) }, 3, 16, ... 200, {status=0x0, info=1}, ) == 0x0
 01371   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01372   472   NtClose  (200, ... ) == 0x0
 01373   472   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01374   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01375   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01376   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01377   472   NtClose  (-2147482208, ... ) == 0x0
 01375   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01378   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01379   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01380   472   NtClose  (-2147482208, ... ) == 0x0
 01378   472   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01381   472   NtClose  (200, ... ) == 0x0
 01382   472   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 01383   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01384   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01385   472   NtClose  (200, ... ) == 0x0
 01386   472   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01387   472   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0l\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0l\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01388   472   NtClose  (204, ... ) == 0x0
 01389   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01390   472   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01391   472   NtClose  (204, ... ) == 0x0
 01392   472   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01393   472   NtClose  (200, ... ) == 0x0
 01394   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01395   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01396   472   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01397   472   NtClose  (204, ... ) == 0x0
 01398   472   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01399   472   NtClose  (200, ... ) == 0x0
 01400   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01401   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01402   472   NtClose  (200, ... ) == 0x0
 01403   472   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01404   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01405   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01406   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01407   472   NtClose  (-2147482208, ... ) == 0x0
 01405   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01408   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01409   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01410   472   NtClose  (-2147482208, ... ) == 0x0
 01408   472   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\0\0\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01411   472   NtClose  (200, ... ) == 0x0
 01412   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01413   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01414   472   NtClose  (200, ... ) == 0x0
 01415   472   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01416   472   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\211\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\211\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01417   472   NtClose  (204, ... ) == 0x0
 01418   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01419   472   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01420   472   NtClose  (204, ... ) == 0x0
 01421   472   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01422   472   NtClose  (200, ... ) == 0x0
 01423   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 200, {status=0x0, info=0}, ) }, 3, 96, ... 200, {status=0x0, info=0}, ) == 0x0
 01424   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 204, ) }, ... 204, ) == 0x0
 01425   472   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01426   472   NtClose  (204, ... ) == 0x0
 01427   472   NtQueryVolumeInformationFile  (200, 1234552, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01428   472   NtClose  (200, ... ) == 0x0
 01429   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 200, {status=0x0, info=0}, ) }, 3, 16, ... 200, {status=0x0, info=0}, ) == 0x0
 01430   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (200, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01431   472   NtClose  (200, ... ) == 0x0
 01432   472   NtQueryInformationFile  (-1, 1234552, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01433   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234504,  (0x100080, {24, 0, 0x40, 0, 1234504, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01434   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01435   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01436   472   NtClose  (-2147482208, ... ) == 0x0
 01434   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01437   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0008,  (200, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01438   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01439   472   NtClose  (-2147482208, ... ) == 0x0
 01437   472   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01440   472   NtClose  (200, ... ) == 0x0
 01441   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01442   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01443   472   NtClose  (200, ... ) == 0x0
 01444   472   NtQueryValueKey  (204,  (204, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01445   472   NtQueryValueKey  (204,  (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (204, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\246\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\314\0\0\0\246\5\0\0\270\1\0\0\330\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\5\0\0\270\1\0\0\330\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0<\0\0\0l\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\250\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01446   472   NtClose  (204, ... ) == 0x0
 01447   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01448   472   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 200, ) }, ... 200, ) == 0x0
 01449   472   NtClose  (204, ... ) == 0x0
 01450   472   NtQueryValueKey  (200,  (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (200, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01451   472   NtClose  (200, ... ) == 0x0
 01452   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01453   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01454   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01455   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01456   472   NtClose  (-2147482208, ... ) == 0x0
 01454   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01457   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01458   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01459   472   NtClose  (-2147482208, ... ) == 0x0
 01457   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01460   472   NtClose  (200, ... ) == 0x0
 01461   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01462   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01463   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01464   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01465   472   NtClose  (-2147482208, ... ) == 0x0
 01463   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01466   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01467   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01468   472   NtClose  (-2147482208, ... ) == 0x0
 01466   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01469   472   NtClose  (200, ... ) == 0x0
 01470   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01471   472   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01472   472   NtClose  (200, ... ) == 0x0
 01473   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01475   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01477   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01478   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01479   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01480   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01482   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01483   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01484   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01485   472   NtClose  (-2147482208, ... ) == 0x0
 01483   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01486   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01487   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01488   472   NtClose  (-2147482208, ... ) == 0x0
 01486   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01489   472   NtClose  (200, ... ) == 0x0
 01490   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01491   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01492   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01493   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01494   472   NtClose  (-2147482208, ... ) == 0x0
 01492   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01495   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01496   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=0}, ) }, 0, 64, ... -2147482208, {status=0x0, info=0}, ) == 0x0
 01497   472   NtClose  (-2147482208, ... ) == 0x0
 01495   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01498   472   NtClose  (200, ... ) == 0x0
 01499   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01500   472   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01501   472   NtClose  (200, ... ) == 0x0
 01502   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01504   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01505   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01506   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01507   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01508   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01509   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01510   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01511   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01512   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01513   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01514   472   NtClose  (-2147482208, ... ) == 0x0
 01512   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01515   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01516   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01517   472   NtClose  (-2147482208, ... ) == 0x0
 01515   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01518   472   NtClose  (200, ... ) == 0x0
 01519   472   NtQueryInformationFile  (-1, 1235756, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01520   472   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235708,  (0x100080, {24, 0, 0x40, 0, 1235708, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 200, {status=0x0, info=0}, ) == 0x0
 01521   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01522   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01523   472   NtClose  (-2147482208, ... ) == 0x0
 01521   472   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01524   472   NtDeviceIoControlFile  (200, 0, 0x0, 0x0, 0x6d0034,  (200, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01525   472   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482208, {status=0x0, info=1}, ) }, 0, 64, ... -2147482208, {status=0x0, info=1}, ) == 0x0
 01526   472   NtClose  (-2147482208, ... ) == 0x0
 01524   472   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01527   472   NtClose  (200, ... ) == 0x0
 01528   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 200, 2, ) }, 0, 0x0, 0, ... 200, 2, ) == 0x0
 01529   472   NtSetValueKey  (200,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (200, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01530   472   NtClose  (200, ... ) == 0x0
 01531   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01533   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01534   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01535   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01537   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01538   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01539   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01540   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01541   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01542   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 204, ) }, ... 204, ) == 0x0
 01543   472   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\F:00000000000091d5", 66, ) , 66, ) == 0x0
 01544   472   NtClose  (204, ... ) == 0x0
 01545   472   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01546   472   NtClose  (200, ... ) == 0x0
 01547   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01548   472   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 200, {status=0x0, info=1}, ) }, 3, 96, ... 200, {status=0x0, info=1}, ) == 0x0
 01549   472   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 204, ) }, ... 204, ) == 0x0
 01550   472   NtQuerySymbolicLinkObject  (204, ...  (204, ... "\Device\WinDfs\U:00000000000091d5", 66, ) , 66, ) == 0x0
 01551   472   NtClose  (204, ... ) == 0x0
 01552   472   NtQueryVolumeInformationFile  (200, 1235800, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01553   472   NtClose  (200, ... ) == 0x0
 01554   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01555   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01556   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01557   472   NtClose  (200, ... ) == 0x0
 01558   472   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   472   NtClose  (204, ... ) == 0x0
 01560   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01561   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01562   472   NtClose  (204, ... ) == 0x0
 01563   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01564   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01565   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 204, ) }, ... 204, ) == 0x0
 01566   472   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01567   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01568   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01569   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01570   472   NtClose  (200, ... ) == 0x0
 01571   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01572   472   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01573   472   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01574   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01575   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 01576   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01577   472   NtClose  (200, ... ) == 0x0
 01578   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01579   472   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 200, ) == 0x0
 01580   472   NtClose  (206, ... ) == 0x0
 01581   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 01582   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 01583   472   NtReleaseSemaphore  (164, 1, ... 0, ) == 0x0
 01584   472   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x0
 01585   472   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01586   472   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 01587   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01588   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01589   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01590   472   NtClose  (204, ... ) == 0x0
 01591   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01592   472   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01593   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01594   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01595   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01596   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01597   472   NtClose  (204, ... ) == 0x0
 01598   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   472   NtQueryValueKey  (202,  (202, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01600   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01601   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01602   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01603   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01604   472   NtClose  (204, ... ) == 0x0
 01605   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01606   472   NtQueryValueKey  (202,  (202, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   472   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01608   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01609   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01610   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01611   472   NtClose  (204, ... ) == 0x0
 01612   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   472   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01615   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 204, ) }, ... 204, ) == 0x0
 01617   472   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01618   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01619   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01620   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01621   472   NtClose  (208, ... ) == 0x0
 01622   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   472   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01625   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01626   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01627   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01628   472   NtClose  (208, ... ) == 0x0
 01629   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   472   NtQueryValueKey  (202,  (202, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01632   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01633   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01634   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01635   472   NtClose  (208, ... ) == 0x0
 01636   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   472   NtQueryValueKey  (202,  (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (202, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01638   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01639   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01640   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01641   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01642   472   NtClose  (208, ... ) == 0x0
 01643   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   472   NtQueryValueKey  (202,  (202, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   472   NtClose  (202, ... ) == 0x0
 01646   472   NtClose  (206, ... ) == 0x0
 01647   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01648   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233892, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01649   472   NtClose  (204, ... ) == 0x0
 01650   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01651   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233812, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01652   472   NtClose  (204, ... ) == 0x0
 01653   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01654   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01655   472   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01656   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01657   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01658   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01659   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01660   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01661   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01662   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01663   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01664   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01665   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01666   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01667   472   NtClose  (204, ... ) == 0x0
 01668   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01669   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01670   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01671   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01672   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01673   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01674   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01675   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01676   472   NtClose  (204, ... ) == 0x0
 01677   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01678   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01679   472   NtClose  (204, ... ) == 0x0
 01680   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01681   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01682   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229184, ... ) }, 1229184, ... ) == 0x0
 01683   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01684   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01685   472   NtAllocateVirtualMemory  (-1, 1429504, 0, 4096, 4096, 4, ... 1429504, 4096, ) == 0x0
 01686   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01687   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01688   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01689   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01690   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01691   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01692   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01693   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01694   472   NtClose  (204, ... ) == 0x0
 01695   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01696   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01697   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01698   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01699   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01700   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01701   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01702   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01703   472   NtClose  (204, ... ) == 0x0
 01704   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01705   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01706   472   NtClose  (204, ... ) == 0x0
 01707   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01708   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01709   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231240, ... ) }, 1231240, ... ) == 0x0
 01710   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01711   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01712   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01713   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01714   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01715   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01716   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01717   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01718   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01719   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01720   472   NtClose  (204, ... ) == 0x0
 01721   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01722   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01723   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01724   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01725   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01726   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01727   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01728   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01729   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01730   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01731   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01732   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01733   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01734   472   NtClose  (204, ... ) == 0x0
 01735   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01736   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01737   472   NtClose  (204, ... ) == 0x0
 01738   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01739   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01740   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01741   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01742   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01743   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01744   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01745   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01746   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01747   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01748   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01749   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01750   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01751   472   NtClose  (204, ... ) == 0x0
 01752   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01753   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01754   472   NtClose  (204, ... ) == 0x0
 01755   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01756   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01757   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229520, ... ) }, 1229520, ... ) == 0x0
 01758   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01759   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01760   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01761   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01762   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01763   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01764   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 83, 4096, 4, ... 10551296, 4096, ) == 0x0
 01765   472   NtReadFile  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (204, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01766   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01767   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01768   472   NtClose  (204, ... ) == 0x0
 01769   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01770   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01771   472   NtClose  (204, ... ) == 0x0
 01772   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01773   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01774   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01775   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01776   472   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01777   472   NtQueryValueKey  (204,  (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 01778   472   NtClose  (204, ... ) == 0x0
 01779   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01780   472   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01781   472   NtSetValueKey  (204,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (204, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 01782   472   NtClose  (204, ... ) == 0x0
 01783   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01784   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01785   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01786   472   NtClose  (204, ... ) == 0x0
 01787   472   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 262144, ) == 0x0
 01788   472   NtClose  (200, ... ) == 0x0
 01789   472   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 01790   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01791   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01792   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01793   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01794   472   NtClose  (200, ... ) == 0x0
 01795   472   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01796   472   NtClose  (204, ... ) == 0x0
 01797   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01798   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01799   472   NtClose  (204, ... ) == 0x0
 01800   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01801   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01802   472   NtClose  (204, ... ) == 0x0
 01803   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01804   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233828, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01805   472   NtClose  (204, ... ) == 0x0
 01806   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01807   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01808   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229200, ... ) }, 1229200, ... ) == 0x0
 01809   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01810   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01811   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01812   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01813   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01814   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01815   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 142, 4096, 4, ... 10551296, 4096, ) == 0x0
 01816   472   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01817   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01818   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01819   472   NtClose  (204, ... ) == 0x0
 01820   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01821   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01822   472   NtClose  (204, ... ) == 0x0
 01823   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01824   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01825   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229172, ... ) }, 1229172, ... ) == 0x0
 01826   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01827   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01828   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01829   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01830   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01831   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01832   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 142, 4096, 4, ... 10551296, 4096, ) == 0x0
 01833   472   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01834   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01835   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01836   472   NtClose  (204, ... ) == 0x0
 01837   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01838   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01839   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01840   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01841   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01842   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01843   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01844   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01845   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01846   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 142, 4096, 4, ... 10551296, 4096, ) == 0x0
 01847   472   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01848   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01849   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01850   472   NtClose  (204, ... ) == 0x0
 01851   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01852   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01853   472   NtClose  (204, ... ) == 0x0
 01854   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01855   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01856   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01857   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01858   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01859   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01860   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01861   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01862   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01863   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 142, 4096, 4, ... 10551296, 4096, ) == 0x0
 01864   472   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01865   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01866   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01867   472   NtClose  (204, ... ) == 0x0
 01868   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01869   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01870   472   NtClose  (204, ... ) == 0x0
 01871   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01872   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01873   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229536, ... ) }, 1229536, ... ) == 0x0
 01874   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01875   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01876   472   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 204, {status=0x0, info=1}, ) }, 7, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01877   472   NtLockFile  (204, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01878   472   NtQueryInformationFile  (204, 1418592, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01879   472   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 10551296, 1052672, ) == 0x0
 01880   472   NtAllocateVirtualMemory  (-1, 10551296, 0, 142, 4096, 4, ... 10551296, 4096, ) == 0x0
 01881   472   NtReadFile  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (204, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 01882   472   NtFreeVirtualMemory  (-1, (0xa10000), 1052672, 32768, ... (0xa10000), 1052672, ) == 0x0
 01883   472   NtUnlockFile  (204, {0, 0}, {-1, -1}, 472, ... ) == STATUS_RANGE_NOT_LOCKED
 01884   472   NtClose  (204, ... ) == 0x0
 01885   472   NtOpenProcessToken  (-1, 0x8, ... 204, ) == 0x0
 01886   472   NtQueryInformationToken  (204, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01887   472   NtClose  (204, ... ) == 0x0
 01888   472   NtAllocateVirtualMemory  (-1, 1433600, 0, 4096, 4096, 4, ... 1433600, 4096, ) == 0x0
 01889   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01890   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01891   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01892   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01893   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01894   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01895   472   NtQueryValueKey  (204,  (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 01896   472   NtClose  (204, ... ) == 0x0
 01897   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01898   472   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01899   472   NtSetValueKey  (204,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (204, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01900   472   NtClose  (204, ... ) == 0x0
 01901   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01902   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01903   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01904   472   NtClose  (204, ... ) == 0x0
 01905   472   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 262144, ) == 0x0
 01906   472   NtClose  (200, ... ) == 0x0
 01907   472   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 01908   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01909   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01910   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01911   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01912   472   NtClose  (200, ... ) == 0x0
 01913   472   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01914   472   NtClose  (204, ... ) == 0x0
 01915   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01916   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1,  (204, 0, 0, 0, 1234000, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01917   472   NtClose  (204, ... ) == 0x0
 01918   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01919   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233912, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01920   472   NtClose  (204, ... ) == 0x0
 01921   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01922   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233844, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01923   472   NtClose  (204, ... ) == 0x0
 01924   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01925   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01926   472   NtReleaseSemaphore  (172, 1, ... 0, ) == 0x0
 01927   472   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x0
 01928   472   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01929   472   NtQueryValueKey  (204,  (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 01930   472   NtClose  (204, ... ) == 0x0
 01931   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235672, ... ) }, 1235672, ... ) == 0x0
 01932   472   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01933   472   NtSetValueKey  (204,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (204, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 01934   472   NtClose  (204, ... ) == 0x0
 01935   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234084, ... ) }, 1234084, ... ) == 0x0
 01936   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01937   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 200, ) == 0x0
 01938   472   NtClose  (204, ... ) == 0x0
 01939   472   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 262144, ) == 0x0
 01940   472   NtClose  (200, ... ) == 0x0
 01941   472   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 01942   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01943   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01944   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 200, ) }, ... 200, ) == 0x0
 01945   472   NtOpenKey  (0x2000000, {24, 200, 0x40, 0, 0,  (0x2000000, {24, 200, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01946   472   NtClose  (200, ... ) == 0x0
 01947   472   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01948   472   NtClose  (204, ... ) == 0x0
 01949   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01950   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233996, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01951   472   NtClose  (204, ... ) == 0x0
 01952   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01953   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233908, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 01954   472   NtClose  (204, ... ) == 0x0
 01955   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 204, {status=0x0, info=1}, ) }, 3, 16417, ... 204, {status=0x0, info=1}, ) == 0x0
 01956   472   NtQueryDirectoryFile  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1,  (204, 0, 0, 0, 1233840, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 01957   472   NtClose  (204, ... ) == 0x0
 01958   472   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 204, ) }, ... 204, ) == 0x0
 01959   472   NtEnumerateValueKey  (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (204, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 01960   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01961   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01962   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 200, ) }, ... 200, ) == 0x0
 01963   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01964   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01965   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01966   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01967   472   NtClose  (208, ... ) == 0x0
 01968   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01969   472   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 01970   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01971   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01972   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01973   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01974   472   NtClose  (208, ... ) == 0x0
 01975   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01976   472   NtQueryValueKey  (202,  (202, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01977   472   NtClose  (202, ... ) == 0x0
 01978   472   NtEnumerateValueKey  (204, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 01979   472   NtClose  (204, ... ) == 0x0
 01980   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01981   472   NtQueryValueKey  (204,  (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (204, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 01982   472   NtClose  (204, ... ) == 0x0
 01983   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236008, ... ) }, 1236008, ... ) == 0x0
 01986   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01987   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01988   472   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 204, ) }, ... 204, ) == 0x0
 01989   472   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 01990   472   NtQueryValueKey  (204,  (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (204, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 01991   472   NtClose  (204, ... ) == 0x0
 01992   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01993   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01994   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01995   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01996   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 01997   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01998   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 01999   472   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02000   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02001   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02002   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02003   472   NtClose  (200, ... ) == 0x0
 02004   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   472   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02006   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02007   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02008   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 200, ) }, ... 200, ) == 0x0
 02009   472   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02010   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02011   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02012   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02013   472   NtClose  (208, ... ) == 0x0
 02014   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02015   472   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02016   472   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02017   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02018   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02019   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02020   472   NtClose  (208, ... ) == 0x0
 02021   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02022   472   NtOpenKey  (0x2000000, {24, 202, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 02023   472   NtClose  (202, ... ) == 0x0
 02024   472   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02025   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02026   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02027   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02028   472   NtClose  (200, ... ) == 0x0
 02029   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02030   472   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02031   472   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02032   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02033   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 200, ) == 0x0
 02034   472   NtQueryInformationToken  (200, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02035   472   NtClose  (200, ... ) == 0x0
 02036   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02037   472   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02038   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02039   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02040   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02041   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02042   472   NtOpenKey  (0x1, {24, 146, 0x40, 0, 0,  (0x1, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02043   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02044   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02045   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02046   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02047   472   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02048   472   NtClose  (212, ... ) == 0x0
 02049   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02050   472   NtQueryValueKey  (202,  (202, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02051   472   NtClose  (202, ... ) == 0x0
 02052   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02053   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02054   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 200, ) }, ... 200, ) == 0x0
 02055   472   NtQueryKey  (202, Name, 384, ... {Name= (202, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02056   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02057   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02058   472   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02059   472   NtClose  (212, ... ) == 0x0
 02060   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02061   472   NtOpenKey  (0x1, {24, 202, 0x40, 0, 0,  (0x1, {24, 202, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02062   472   NtClose  (206, ... ) == 0x0
 02063   472   NtClose  (210, ... ) == 0x0
 02064   472   NtClose  (202, ... ) == 0x0
 02065   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02066   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02067   472   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02068   472   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02069   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02070   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02071   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 200, ) }, ... 200, ) == 0x0
 02072   472   NtQueryKey  (202, Name, 392, ... {Name= (202, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02073   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02074   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02075   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02076   472   NtClose  (208, ... ) == 0x0
 02077   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02078   472   NtQueryValueKey  (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (202, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02079   472   NtQueryKey  (146, Name, 384, ... {Name= (146, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02080   472   NtOpenKey  (0x2000000, {24, 146, 0x40, 0, 0,  (0x2000000, {24, 146, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02081   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 208, ) }, ... 208, ) == 0x0
 02082   472   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02083   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02084   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02085   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02086   472   NtClose  (204, ... ) == 0x0
 02087   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02088   472   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02089   472   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02090   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02091   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02092   472   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02093   472   NtClose  (204, ... ) == 0x0
 02094   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02095   472   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 02096   472   NtClose  (210, ... ) == 0x0
 02097   472   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02098   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02099   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02100   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02101   472   NtClose  (208, ... ) == 0x0
 02102   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02103   472   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0,  (0x2000000, {24, 206, 0x40, 0, 0, "shell"}, ... 208, ) }, ... 208, ) == 0x0
 02104   472   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02105   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02106   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02107   472   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02108   472   NtClose  (212, ... ) == 0x0
 02109   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02110   472   NtQueryValueKey  (210, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02111   472   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02112   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02113   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02114   472   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02115   472   NtClose  (212, ... ) == 0x0
 02116   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02117   472   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "open"}, ... 212, ) }, ... 212, ) == 0x0
 02118   472   NtClose  (210, ... ) == 0x0
 02119   472   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02120   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02121   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02122   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02123   472   NtClose  (208, ... ) == 0x0
 02124   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02125   472   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02126   472   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02127   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02128   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02129   472   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02130   472   NtClose  (216, ... ) == 0x0
 02131   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02132   472   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02133   472   NtClose  (210, ... ) == 0x0
 02134   472   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02135   472   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02136   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02137   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02138   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02139   472   NtClose  (208, ... ) == 0x0
 02140   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02141   472   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02142   472   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02143   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02144   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02145   472   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   472   NtClose  (216, ... ) == 0x0
 02147   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   472   NtQueryValueKey  (210,  (210, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   472   NtClose  (210, ... ) == 0x0
 02150   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   472   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02152   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02153   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02154   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02155   472   NtClose  (208, ... ) == 0x0
 02156   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   472   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02158   472   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02159   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02160   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02161   472   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02162   472   NtClose  (216, ... ) == 0x0
 02163   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   472   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02165   472   NtClose  (210, ... ) == 0x0
 02166   472   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02167   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02168   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02169   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02170   472   NtClose  (208, ... ) == 0x0
 02171   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   472   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   472   NtUserGetForegroundWindow  (... ) == 0x20060
 02174   472   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02175   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02176   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02177   472   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02178   472   NtClose  (208, ... ) == 0x0
 02179   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02180   472   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "command"}, ... 208, ) }, ... 208, ) == 0x0
 02181   472   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02182   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02183   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02184   472   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02185   472   NtClose  (216, ... ) == 0x0
 02186   472   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   472   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02188   472   NtClose  (210, ... ) == 0x0
 02189   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02190   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02191   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02193   472   NtQueryValueKey  (208,  (208, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   472   NtClose  (208, ... ) == 0x0
 02195   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02196   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02197   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02199   472   NtQueryValueKey  (208,  (208, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02200   472   NtClose  (208, ... ) == 0x0
 02201   472   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   472   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02203   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02204   472   NtReleaseSemaphore  (148, 1, ... 0, ) == 0x0
 02205   472   NtWaitForSingleObject  (148, 0, {0, 0}, ... ) == 0x0
 02206   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02207   472   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 208, ) }, ... 208, ) == 0x0
 02208   472   NtQueryValueKey  (208,  (208, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02209   472   NtClose  (208, ... ) == 0x0
 02210   472   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02211   472   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02212   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231308, ... ) }, 1231308, ... ) == 0x0
 02213   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02214   472   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02215   472   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02216   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 216, ) }, ... 216, ) == 0x0
 02217   472   NtQueryValueKey  (216,  (216, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   472   NtClose  (216, ... ) == 0x0
 02219   472   NtQueryVolumeInformationFile  (208, 1231308, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02220   472   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 216, ) }, ... 216, ) == 0x0
 02221   472   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02222   472   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 220, ) }, ... 220, ) == 0x0
 02223   472   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa10000), {0, 0}, 57344, ) == 0x0
 02224   472   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02225   472   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 02226   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229292, ... ) }, 1229292, ... ) == 0x0
 02227   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 02228   472   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 224, ... 228, ) == 0x0
 02229   472   NtClose  (224, ... ) == 0x0
 02230   472   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 106496, ) == 0x0
 02231   472   NtClose  (228, ... ) == 0x0
 02232   472   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02233   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229608, ... ) }, 1229608, ... ) == 0x0
 02234   472   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02235   472   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 228, ... 224, ) == 0x0
 02236   472   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02237   472   NtClose  (228, ... ) == 0x0
 02238   472   NtMapViewOfSection  (224, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02239   472   NtClose  (224, ... ) == 0x0
 02240   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 02241   472   NtQueryInformationFile  (224, 1229896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02242   472   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 224, ... 228, ) == 0x0
 02243   472   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa20000), 0x0, 1028096, ) == 0x0
 02244   472   NtQueryInformationFile  (224, 1229992, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02245   472   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   472   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02247   472   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02248   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02249   472   NtQueryDirectoryFile  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1,  (232, 0, 0, 0, 1227556, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02250   472   NtClose  (232, ... ) == 0x0
 02251   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02252   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02253   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226944, ... ) }, 1226944, ... ) == 0x0
 02254   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02255   472   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02256   472   NtClose  (232, ... ) == 0x0
 02257   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02258   472   NtQueryDirectoryFile  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1,  (232, 0, 0, 0, 1226304, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02259   472   NtClose  (232, ... ) == 0x0
 02260   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02261   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02262   472   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02263   472   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02264   472   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 232, ) == 0x0
 02265   472   NtQueryInformationToken  (232, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02266   472   NtClose  (232, ... ) == 0x0
 02267   472   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   472   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02269   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02270   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02271   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229224, ... ) }, 1229224, ... ) == 0x0
 02272   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02273   472   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02274   472   NtClose  (232, ... ) == 0x0
 02275   472   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 232, {status=0x0, info=1}, ) }, 3, 16417, ... 232, {status=0x0, info=1}, ) == 0x0
 02276   472   NtQueryDirectoryFile  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1,  (232, 0, 0, 0, 1228584, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02277   472   NtClose  (232, ... ) == 0x0
 02278   472   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02279   472   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02280   472   NtWaitForSingleObject  (216, 0, {-1000000, -1}, ... ) == 0x0
 02281   472   NtQueryVolumeInformationFile  (208, 1229868, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02282   472   NtQueryInformationFile  (208, 1229848, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02283   472   NtQueryInformationFile  (208, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02284   472   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02285   472   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02286   472   NtClose  (228, ... ) == 0x0
 02287   472   NtClose  (224, ... ) == 0x0
 02288   472   NtClose  (208, ... ) == 0x0
 02289   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02290   472   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231284, ... ) }, 1231284, ... ) == 0x0
 02292   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02293   472   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02294   472   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 208, ... 224, ) == 0x0
 02295   472   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   472   NtQuerySection  (224, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02297   472   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02298   472   NtCreateProcessEx  (1233936, 2035711, 0, -1, 0, 224, 0, 0, 0, ... ) == 0x0
 02299   472   NtSetInformationProcess  (228, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02300   472   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=856,ParentPid=440,}, 0x0, ) == 0x0
 02301   472   NtReadVirtualMemory  (228, 0x7ffdf008, 4, ...  (228, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02302   472   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   472   NtAllocateVirtualMemory  (-1, 1441792, 0, 8192, 4096, 4, ... 1441792, 8192, ) == 0x0
 02304   472   NtReadVirtualMemory  (228, 0x4ad00000, 4096, ...  (228, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02305   472   NtReadVirtualMemory  (228, 0x4ad3b000, 256, ...  (228, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02306   472   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02307   472   NtQueryInformationProcess  (228, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=856,ParentPid=440,}, 0x0, ) == 0x0
 02308   472   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1232000, ... ) }, 1232000, ... ) == 0x0
 02309   472   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 10616832, 4096, ) == 0x0
 02310   472   NtAllocateVirtualMemory  (228, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02311   472   NtWriteVirtualMemory  (228, 0x10000,  (228, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02312   472   NtAllocateVirtualMemory  (228, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02313   472   NtWriteVirtualMemory  (228, 0x20000,  (228, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02314   472   NtWriteVirtualMemory  (228, 0x7ffdf010,  (228, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02315   472   NtWriteVirtualMemory  (228, 0x7ffdf1e8,  (228, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02316   472   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 02317   472   NtAllocateVirtualMemory  (228, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02318   472   NtAllocateVirtualMemory  (228, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02319   472   NtCreateThread  (0x1f03ff, 0x0, 228, 1232200, 1232920, 1, ... 232, {856, 860}, ) == 0x0
 02320   472   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 472, 1560, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 440, 472, 1560, 0}  (24, {168, 196, new_msg, 0, 0, 1234032, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 440, 472, 1560, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\344\0\0\0\350\0\0\0X\3\0\0\\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\374\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02321   472   NtResumeThread  (232, ... 1, ) == 0x0
 02322   472   NtClose  (208, ... ) == 0x0
 02323   472   NtClose  (224, ... ) == 0x0
 02324   472   NtClose  (214, ... ) == 0x0
 02325   472   NtClose  (202, ... ) == 0x0
 02326   472   NtClose  (206, ... ) == 0x0
 02327   472   NtClose  (228, ... ) == 0x0
 02328   472   NtClose  (232, ... ) == 0x0
 02329   472   NtUserDestroyWindow  (131250, ...
 02330   472   NtUserRemoveProp  (131250, 43288, ... ) == 0xffffffff
 02331   472   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 02332   472   NtUserRemoveProp  (131250, 43287, ... ) == 0x0
 02329   472   NtUserDestroyWindow  ... ) == 0x1
 02333   472   NtUserUnregisterClass  (1237380, 1998258176, 1237368, ... ) == 0x1
 02334   472   NtTerminateProcess  (0, 0, ... ) == 0x0
 02335   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02336   472   NtWaitForMultipleObjects  (2, (168, 160, ), 1, 0, 0x0, ... ) == 0x1
 02337   472   NtClose  (160, ... ) == 0x0
 02338   472   NtSetEvent  (168, ... 0x0, ) == 0x0
 02339   472   NtClose  (168, ... ) == 0x0
 02340   472   NtWaitForMultipleObjects  (2, (176, 180, ), 1, 0, 0x0, ... ) == 0x1
 02341   472   NtClose  (180, ... ) == 0x0
 02342   472   NtSetEvent  (176, ... 0x0, ) == 0x0
 02343   472   NtClose  (176, ... ) == 0x0
 02344   472   NtWaitForMultipleObjects  (2, (184, 188, ), 1, 0, 0x0, ... ) == 0x1
 02345   472   NtClose  (188, ... ) == 0x0
 02346   472   NtSetEvent  (184, ... 0x0, ) == 0x0
 02347   472   NtClose  (184, ... ) == 0x0
 02348   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02349   472   NtUnmapViewOfSection  (-1, 0x9b0000, ... ) == 0x0
 02350   472   NtClose  (108, ... ) == 0x0
 02351   472   NtGdiDeleteObjectApp  (68158431, ... ) == 0x1
 02352   472   NtUserGetProcessWindowStation  (... ) == 0x28
 02353   472   NtUserBuildNameList  (40, 256, 1326728, 1241844, ... ) == 0x0
 02354   472   NtUserGetProcessWindowStation  (... ) == 0x28
 02355   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x6c
 02356   472   NtUserBuildHwndList  (108, 0, 0, 0, 64, ... (0x100aa, 0x100a8, 0x100a6, 0x60036, 0x20062, 0x10080, 0x10078, 0x10068, 0x3004a, 0x10066, 0x3004c, 0x3003c, 0x1009c, 0x10090, 0x10084, 0x10026, 0x100d6, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x100b0, 0x100ae, 0x2005e, 0x20060, 0x100cc, 0x100c2, 0x100c0, 0x100ac, 0x10070, 0x50050, 0x40054, 0x5004e, 0x10086, 0x1007a, 0x1, ), 38, ) == 0x0
 02357   472   NtUserQueryWindow  (65706, 0, ... ) == 0x7dc
 02358   472   NtUserQueryWindow  (65706, 1, ... ) == 0x7e0
 02359   472   NtUserQueryWindow  (65704, 0, ... ) == 0x7dc
 02360   472   NtUserQueryWindow  (65704, 1, ... ) == 0x7e0
 02361   472   NtUserQueryWindow  (65702, 0, ... ) == 0x7dc
 02362   472   NtUserQueryWindow  (65702, 1, ... ) == 0x7e0
 02363   472   NtUserQueryWindow  (393270, 0, ... ) == 0x7dc
 02364   472   NtUserQueryWindow  (393270, 1, ... ) == 0x7e0
 02365   472   NtUserQueryWindow  (131170, 0, ... ) == 0x76c
 02366   472   NtUserQueryWindow  (131170, 1, ... ) == 0x780
 02367   472   NtUserQueryWindow  (65664, 0, ... ) == 0x76c
 02368   472   NtUserQueryWindow  (65664, 1, ... ) == 0x780
 02369   472   NtUserBuildHwndList  (0, 65664, 1, 0, 64, ... (0x10082, 0x1008a, 0x1008c, 0x1008e, 0x10092, 0x10094, 0x10096, 0x10098, 0x1009a, 0x1009e, 0x100a0, 0x100a2, 0x1, ), 13, ) == 0x0
 02370   472   NtUserQueryWindow  (65666, 0, ... ) == 0x76c
 02371   472   NtUserQueryWindow  (65666, 1, ... ) == 0x780
 02372   472   NtUserQueryWindow  (65674, 0, ... ) == 0x76c
 02373   472   NtUserQueryWindow  (65674, 1, ... ) == 0x780
 02374   472   NtUserQueryWindow  (65676, 0, ... ) == 0x76c
 02375   472   NtUserQueryWindow  (65676, 1, ... ) == 0x780
 02376   472   NtUserQueryWindow  (65678, 0, ... ) == 0x76c
 02377   472   NtUserQueryWindow  (65678, 1, ... ) == 0x780
 02378   472   NtUserQueryWindow  (65682, 0, ... ) == 0x76c
 02379   472   NtUserQueryWindow  (65682, 1, ... ) == 0x780
 02380   472   NtUserQueryWindow  (65684, 0, ... ) == 0x76c
 02381   472   NtUserQueryWindow  (65684, 1, ... ) == 0x780
 02382   472   NtUserQueryWindow  (65686, 0, ... ) == 0x76c
 02383   472   NtUserQueryWindow  (65686, 1, ... ) == 0x780
 02384   472   NtUserQueryWindow  (65688, 0, ... ) == 0x76c
 02385   472   NtUserQueryWindow  (65688, 1, ... ) == 0x780
 02386   472   NtUserQueryWindow  (65690, 0, ... ) == 0x76c
 02387   472   NtUserQueryWindow  (65690, 1, ... ) == 0x780
 02388   472   NtUserQueryWindow  (65694, 0, ... ) == 0x76c
 02389   472   NtUserQueryWindow  (65694, 1, ... ) == 0x780
 02390   472   NtUserQueryWindow  (65696, 0, ... ) == 0x76c
 02391   472   NtUserQueryWindow  (65696, 1, ... ) == 0x780
 02392   472   NtUserQueryWindow  (65698, 0, ... ) == 0x76c
 02393   472   NtUserQueryWindow  (65698, 1, ... ) == 0x780
 02394   472   NtUserQueryWindow  (65656, 0, ... ) == 0x76c
 02395   472   NtUserQueryWindow  (65656, 1, ... ) == 0x780
 02396   472   NtUserQueryWindow  (65640, 0, ... ) == 0x76c
 02397   472   NtUserQueryWindow  (65640, 1, ... ) == 0x780
 02398   472   NtUserQueryWindow  (196682, 0, ... ) == 0x76c
 02399   472   NtUserQueryWindow  (196682, 1, ... ) == 0x780
 02400   472   NtUserQueryWindow  (65638, 0, ... ) == 0x76c
 02401   472   NtUserQueryWindow  (65638, 1, ... ) == 0x780
 02402   472   NtUserQueryWindow  (196684, 0, ... ) == 0x76c
 02403   472   NtUserQueryWindow  (196684, 1, ... ) == 0x780
 02404   472   NtUserQueryWindow  (196668, 0, ... ) == 0x76c
 02405   472   NtUserQueryWindow  (196668, 1, ... ) == 0x780
 02406   472   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x10072, 0x10076, 0x1, ), 10, ) == 0x0
 02407   472   NtUserQueryWindow  (196670, 0, ... ) == 0x76c
 02408   472   NtUserQueryWindow  (196670, 1, ... ) == 0x780
 02409   472   NtUserQueryWindow  (196674, 0, ... ) == 0x76c
 02410   472   NtUserQueryWindow  (196674, 1, ... ) == 0x780
 02411   472   NtUserQueryWindow  (196672, 0, ... ) == 0x76c
 02412   472   NtUserQueryWindow  (196672, 1, ... ) == 0x780
 02413   472   NtUserQueryWindow  (196676, 0, ... ) == 0x76c
 02414   472   NtUserQueryWindow  (196676, 1, ... ) == 0x780
 02415   472   NtUserQueryWindow  (196678, 0, ... ) == 0x76c
 02416   472   NtUserQueryWindow  (196678, 1, ... ) == 0x780
 02417   472   NtUserQueryWindow  (196680, 0, ... ) == 0x76c
 02418   472   NtUserQueryWindow  (196680, 1, ... ) == 0x780
 02419   472   NtUserQueryWindow  (65642, 0, ... ) == 0x76c
 02420   472   NtUserQueryWindow  (65642, 1, ... ) == 0x780
 02421   472   NtUserQueryWindow  (65650, 0, ... ) == 0x76c
 02422   472   NtUserQueryWindow  (65650, 1, ... ) == 0x780
 02423   472   NtUserQueryWindow  (65654, 0, ... ) == 0x76c
 02424   472   NtUserQueryWindow  (65654, 1, ... ) == 0x780
 02425   472   NtUserQueryWindow  (65692, 0, ... ) == 0x76c
 02426   472   NtUserQueryWindow  (65692, 1, ... ) == 0x780
 02427   472   NtUserQueryWindow  (65680, 0, ... ) == 0x76c
 02428   472   NtUserQueryWindow  (65680, 1, ... ) == 0x780
 02429   472   NtUserQueryWindow  (65668, 0, ... ) == 0x76c
 02430   472   NtUserQueryWindow  (65668, 1, ... ) == 0x770
 02431   472   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02432   472   NtUserQueryWindow  (65574, 1, ... ) == 0x2c4
 02433   472   NtUserQueryWindow  (65750, 0, ... ) == 0x358
 02434   472   NtUserQueryWindow  (65750, 1, ... ) == 0x35c
 02435   472   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 02436   472   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 02437   472   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 02438   472   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 02439   472   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 02440   472   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 02441   472   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 02442   472   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 02443   472   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 02444   472   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 02445   472   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 02446   472   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 02447   472   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 02448   472   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 02449   472   NtUserQueryWindow  (65710, 0, ... ) == 0x7e4
 02450   472   NtUserQueryWindow  (65710, 1, ... ) == 0x7e8
 02451   472   NtUserQueryWindow  (131166, 0, ... ) == 0x7d4
 02452   472   NtUserQueryWindow  (131166, 1, ... ) == 0x7d8
 02453   472   NtUserQueryWindow  (131168, 0, ... ) == 0x7f0
 02454   472   NtUserQueryWindow  (131168, 1, ... ) == 0x7f4
 02455   472   NtUserQueryWindow  (65740, 0, ... ) == 0x76c
 02456   472   NtUserQueryWindow  (65740, 1, ... ) == 0x108
 02457   472   NtUserQueryWindow  (65730, 0, ... ) == 0x76c
 02458   472   NtUserQueryWindow  (65730, 1, ... ) == 0x108
 02459   472   NtUserBuildHwndList  (0, 65730, 1, 0, 64, ... (0x100c4, 0x100c6, 0x100c8, 0x100ca, 0x1, ), 5, ) == 0x0
 02460   472   NtUserQueryWindow  (65732, 0, ... ) == 0x76c
 02461   472   NtUserQueryWindow  (65732, 1, ... ) == 0x108
 02462   472   NtUserQueryWindow  (65734, 0, ... ) == 0x76c
 02463   472   NtUserQueryWindow  (65734, 1, ... ) == 0x108
 02464   472   NtUserQueryWindow  (65736, 0, ... ) == 0x76c
 02465   472   NtUserQueryWindow  (65736, 1, ... ) == 0x108
 02466   472   NtUserQueryWindow  (65738, 0, ... ) == 0x76c
 02467   472   NtUserQueryWindow  (65738, 1, ... ) == 0x108
 02468   472   NtUserQueryWindow  (65728, 0, ... ) == 0x76c
 02469   472   NtUserQueryWindow  (65728, 1, ... ) == 0x780
 02470   472   NtUserQueryWindow  (65708, 0, ... ) == 0x7dc
 02471   472   NtUserQueryWindow  (65708, 1, ... ) == 0x7e0
 02472   472   NtUserQueryWindow  (65648, 0, ... ) == 0x76c
 02473   472   NtUserQueryWindow  (65648, 1, ... ) == 0x7c0
 02474   472   NtUserQueryWindow  (327760, 0, ... ) == 0x76c
 02475   472   NtUserQueryWindow  (327760, 1, ... ) == 0x770
 02476   472   NtUserQueryWindow  (262228, 0, ... ) == 0x76c
 02477   472   NtUserQueryWindow  (262228, 1, ... ) == 0x770
 02478   472   NtUserQueryWindow  (327758, 0, ... ) == 0x76c
 02479   472   NtUserQueryWindow  (327758, 1, ... ) == 0x770
 02480   472   NtUserQueryWindow  (65670, 0, ... ) == 0x76c
 02481   472   NtUserQueryWindow  (65670, 1, ... ) == 0x770
 02482   472   NtUserQueryWindow  (65658, 0, ... ) == 0x76c
 02483   472   NtUserQueryWindow  (65658, 1, ... ) == 0x770
 02484   472   NtUserBuildHwndList  (0, 65658, 1, 0, 64, ... (0x1007c, 0x1007e, 0x1, ), 3, ) == 0x0
 02485   472   NtUserQueryWindow  (65660, 0, ... ) == 0x76c
 02486   472   NtUserQueryWindow  (65660, 1, ... ) == 0x770
 02487   472   NtUserQueryWindow  (65662, 0, ... ) == 0x76c
 02488   472   NtUserQueryWindow  (65662, 1, ... ) == 0x770
 02489   472   NtUserCloseDesktop  (108, ...
 02490   472   NtClose  (108, ... ) == 0x0
 02489   472   NtUserCloseDesktop  ... ) == 0x1
 02491   472   NtUserGetProcessWindowStation  (... ) == 0x28
 02492   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02493   472   NtUserGetProcessWindowStation  (... ) == 0x28
 02494   472   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02495   472   NtGdiDeleteObjectApp  (201982949, ... ) == 0x1
 02496   472   NtGdiDeleteObjectApp  (151651313, ... ) == 0x1
 02497   472   NtClose  (100, ... ) == 0x0
 02498   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02499   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02500   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02501   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02502   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02503   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02504   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02505   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02506   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02507   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02508   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02509   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02510   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02511   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02512   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02513   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02514   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02515   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02516   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02517   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02518   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02519   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02520   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02521   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02522   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02523   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02524   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02525   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02526   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02527   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02528   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02529   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02530   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02531   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02532   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02533   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02534   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02535   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc017
 02536   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02537   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc019
 02538   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02539   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc018
 02540   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02541   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01a
 02542   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02543   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01c
 02544   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02545   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01e
 02546   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02547   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc01b
 02548   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02549   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc068
 02550   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02551   472   NtUserGetClassInfo  (1905590272, 1241892, 1241844, 1241920, 0, ... ) == 0xc06a
 02552   472   NtUserUnregisterClass  (1241896, 1905590272, 1241884, ... ) == 0x1
 02553   472   NtUnmapViewOfSection  (-1, 0x890000, ... ) == 0x0
 02554   472   NtClose  (72, ... ) == 0x0
 02555   472   NtUnmapViewOfSection  (-1, 0x880000, ... ) == 0x0
 02556   472   NtClose  (76, ... ) == 0x0
 02557   472   NtClose  (68, ... ) == 0x0
 02558   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xb,}, 4, ... ) == 0x0
 02559   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03b
 02560   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02561   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03d
 02562   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02563   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc03f
 02564   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02565   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc041
 02566   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02567   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc043
 02568   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02569   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc045
 02570   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02571   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc047
 02572   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02573   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc049
 02574   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02575   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04b
 02576   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02577   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04d
 02578   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02579   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc04f
 02580   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02581   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc051
 02582   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02583   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc053
 02584   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02585   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc057
 02586   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02587   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc059
 02588   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02589   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05b
 02590   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02591   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05d
 02592   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02593   472   NtUserGetClassInfo  (1999896576, 1241892, 1241844, 1241920, 0, ... ) == 0xc05f
 02594   472   NtUserUnregisterClass  (1241896, 1999896576, 1241884, ... ) == 0x1
 02595   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02596   472   NtClose  (172, ... ) == 0x0
 02597   472   NtClose  (148, ... ) == 0x0
 02598   472   NtClose  (164, ... ) == 0x0
 02599   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02600   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02601   472   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02602   472   NtClose  (152, ... ) == 0x0
 02603   472   NtClose  (156, ... ) == 0x0
 02604   472   NtClose  (104, ... ) == 0x0
 02605   472   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02606   472   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 472, 1595, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 440, 472, 1595, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 440, 472, 1595, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02607   472   NtTerminateProcess  (-1, 0, ...
 02608   472   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtAdjustPrivilegesToken(>)	2	NtGdiGetStockObject(>)	5	NtUserRegisterWindowMessage(>)	19
NtAddAtom(>)	1	NtContinue(>)	2	NtUserBuildHwndList(>)	5	NtOpenThreadToken(>)	20
NtCallbackReturn(>)	1	NtCreateIoCompletion(>)	2	NtWriteFile(>)	5	NtUnmapViewOfSection(>)	21
NtConnectPort(>)	1	NtEnumerateKey(>)	2	NtCreateSemaphore(>)	6	NtCreateKey(>)	22
NtCreateProcessEx(>)	1	NtGdiCreateSolidBrush(>)	2	NtOpenSymbolicLinkObject(>)	6	NtCreateSection(>)	27
NtCreateThread(>)	1	NtGdiHfontCreate(>)	2	NtQueryDefaultLocale(>)	6	NtQueryInformationFile(>)	27
NtDeleteValueKey(>)	1	NtOpenDirectoryObject(>)	2	NtQuerySymbolicLinkObject(>)	6	NtOpenSection(>)	29
NtGdiCreateBitmap(>)	1	NtOpenMutant(>)	2	NtUserGetProcessWindowStation(>)	6	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtQueryVirtualMemory(>)	2	NtQueryDefaultUILanguage(>)	8	NtWaitForSingleObject(>)	33
NtGdiQueryFontAssocInfo(>)	1	NtReleaseMutant(>)	2	NtSetInformationFile(>)	8	NtProtectVirtualMemory(>)	36
NtGdiSelectBitmap(>)	1	NtTerminateProcess(>)	2	NtQueryVolumeInformationFile(>)	9	NtUserUnregisterClass(>)	46
NtNotifyChangeKey(>)	1	NtUserCloseDesktop(>)	2	NtFsControlFile(>)	10	NtMapViewOfSection(>)	48
NtOpenKeyedEvent(>)	1	NtUserCreateWindowEx(>)	2	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	48
NtOpenProcess(>)	1	NtUserDestroyWindow(>)	2	NtQuerySection(>)	11	NtQueryInformationProcess(>)	51
NtQueryInformationJobObject(>)	1	NtUserMessageCall(>)	2	NtRequestWaitReplyPort(>)	11	NtDeviceIoControlFile(>)	55
NtQueryObject(>)	1	NtCreateMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenProcessTokenEx(>)	60
NtQueryPerformanceCounter(>)	1	NtDuplicateObject(>)	3	NtUserSystemParametersInfo(>)	11	NtOpenThreadTokenEx(>)	60
NtQuerySystemTime(>)	1	NtEnumerateValueKey(>)	3	NtLockFile(>)	13	NtUserRegisterClassExWOW(>)	64
NtRegisterThreadTerminatePort(>)	1	NtGdiCreateCompatibleDC(>)	3	NtUnlockFile(>)	13	NtQueryAttributesFile(>)	68
NtResumeThread(>)	1	NtGdiDeleteObjectApp(>)	3	NtCreateEvent(>)	14	NtQueryInformationToken(>)	72
NtSecureConnectPort(>)	1	NtOpenEvent(>)	3	NtOpenProcessToken(>)	14	NtQueryKey(>)	73
NtTestAlert(>)	1	NtReadVirtualMemory(>)	3	NtSetValueKey(>)	15	NtUserGetClassInfo(>)	82
NtUserBuildNameList(>)	1	NtSetEvent(>)	3	NtQueryDebugFilterState(>)	16	NtAllocateVirtualMemory(>)	88
NtUserGetAtomName(>)	1	NtUserGetObjectInformation(>)	3	NtFlushInstructionCache(>)	17	NtQuerySystemInformation(>)	88
NtUserGetDC(>)	1	NtUserOpenDesktop(>)	3	NtFreeVirtualMemory(>)	17	NtOpenFile(>)	90
NtUserGetForegroundWindow(>)	1	NtUserRemoveProp(>)	3	NtQueryDirectoryFile(>)	17	NtQueryValueKey(>)	125
NtUserGetGUIThreadInfo(>)	1	NtWaitForMultipleObjects(>)	3	NtReadFile(>)	17	NtUserQueryWindow(>)	128
NtUserGetThreadDesktop(>)	1	NtSetInformationObject(>)	4	NtSetInformationThread(>)	17	NtOpenKey(>)	288
NtUserSetProp(>)	1	NtWriteVirtualMemory(>)	4	NtCreateFile(>)	18	NtClose(>)	385