Summary:


NtAccessCheck(>)  1 
NtCreateIoCompletion(>)  2 
NtCreateSemaphore(>)  6 
NtOpenThreadToken(>)  20 

NtAddAtom(>)  1 
NtEnumerateKey(>)  2 
NtOpenSymbolicLinkObject(>)  6 
NtUnmapViewOfSection(>)  21 

NtCallbackReturn(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtQueryDefaultLocale(>)  6 
NtCreateKey(>)  22 

NtConnectPort(>)  1 
NtGdiHfontCreate(>)  2 
NtQuerySymbolicLinkObject(>)  6 
NtCreateSection(>)  27 

NtCreateProcessEx(>)  1 
NtOpenDirectoryObject(>)  2 
NtUserGetProcessWindowStation(>)  6 
NtQueryInformationFile(>)  27 

NtCreateThread(>)  1 
NtQueryInstallUILanguage(>)  2 
NtUserCallNoParam(>)  7 
NtReadVirtualMemory(>)  30 

NtDeleteValueKey(>)  1 
NtRaiseException(>)  2 
NtOpenProcess(>)  8 
NtOpenSection(>)  31 

NtGdiCreateBitmap(>)  1 
NtTerminateProcess(>)  2 
NtQueryDefaultUILanguage(>)  8 
NtReleaseSemaphore(>)  31 

NtGdiCreatePatternBrushInternal(>)  1 
NtUserCloseDesktop(>)  2 
NtSetInformationFile(>)  8 
NtSetInformationProcess(>)  31 

NtGdiInit(>)  1 
NtUserCreateWindowEx(>)  2 
NtQueryVolumeInformationFile(>)  9 
NtWaitForSingleObject(>)  35 

NtGdiQueryFontAssocInfo(>)  1 
NtUserDestroyWindow(>)  2 
NtUserBuildHwndList(>)  9 
NtProtectVirtualMemory(>)  40 

NtGdiSelectBitmap(>)  1 
NtUserMessageCall(>)  2 
NtContinue(>)  10 
NtUserUnregisterClass(>)  46 

NtNotifyChangeKey(>)  1 
NtCreateMutant(>)  3 
NtFsControlFile(>)  10 
NtMapViewOfSection(>)  48 

NtOpenKeyedEvent(>)  1 
NtEnumerateValueKey(>)  3 
NtUserGetWindowDC(>)  10 
NtUserFindExistingCursorIcon(>)  48 

NtQueryInformationJobObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtFlushInstructionCache(>)  11 
NtQueryInformationProcess(>)  51 

NtQueryObject(>)  1 
NtGdiDeleteObjectApp(>)  3 
NtQuerySection(>)  11 
NtDeviceIoControlFile(>)  55 

NtQueryPerformanceCounter(>)  1 
NtOpenEvent(>)  3 
NtRequestWaitReplyPort(>)  11 
NtOpenProcessTokenEx(>)  60 

NtQuerySystemTime(>)  1 
NtOpenMutant(>)  3 
NtUserCallOneParam(>)  11 
NtOpenThreadTokenEx(>)  60 

NtRegisterThreadTerminatePort(>)  1 
NtSetEvent(>)  3 
NtUserSystemParametersInfo(>)  11 
NtUserRegisterClassExWOW(>)  64 

NtResumeThread(>)  1 
NtUserGetObjectInformation(>)  3 
NtLockFile(>)  13 
NtQueryAttributesFile(>)  68 

NtSecureConnectPort(>)  1 
NtUserOpenDesktop(>)  3 
NtUnlockFile(>)  13 
NtQueryInformationToken(>)  72 

NtSetSecurityObject(>)  1 
NtUserRemoveProp(>)  3 
NtCreateEvent(>)  14 
NtQueryKey(>)  73 

NtTestAlert(>)  1 
NtWaitForMultipleObjects(>)  3 
NtOpenProcessToken(>)  14 
NtUserGetClassInfo(>)  82 

NtUserBuildNameList(>)  1 
NtQueryVirtualMemory(>)  4 
NtSetValueKey(>)  15 
NtQuerySystemInformation(>)  88 

NtUserGetAtomName(>)  1 
NtReleaseMutant(>)  4 
NtQueryDebugFilterState(>)  16 
NtAllocateVirtualMemory(>)  89 

NtUserGetDC(>)  1 
NtSetInformationObject(>)  4 
NtQueryDirectoryFile(>)  17 
NtOpenFile(>)  90 

NtUserGetForegroundWindow(>)  1 
NtUserFindWindowEx(>)  4 
NtReadFile(>)  17 
NtQueryValueKey(>)  125 

NtUserGetGUIThreadInfo(>)  1 
NtWriteVirtualMemory(>)  4 
NtSetInformationThread(>)  17 
NtOpenKey(>)  288 

NtUserGetThreadDesktop(>)  1 
NtDuplicateObject(>)  5 
NtCreateFile(>)  18 
NtUserQueryWindow(>)  290 

NtUserSetProp(>)  1 
NtGdiGetStockObject(>)  5 
NtFreeVirtualMemory(>)  18 
NtClose(>)  396 

NtAdjustPrivilegesToken(>)  2 
NtWriteFile(>)  5 
NtUserRegisterWindowMessage(>)  19 

Trace:
 00001   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   484   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1376256, 1048576, ) == 0x0
 00005   484   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 00006   484   NtAllocateVirtualMemory  (-1, 1380352, 0, 8192, 4096, 4, ... 1380352, 8192, ) == 0x0
 00007   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2424832, 65536, ) == 0x0
 00009   484   NtAllocateVirtualMemory  (-1, 2424832, 0, 24576, 4096, 4, ... 2424832, 24576, ) == 0x0
 00010   484   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   484   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   484   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   484   NtClose  (12, ... ) == 0x0
 00014   484   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   484   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   484   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   484   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   484   NtClose  (16, ... ) == 0x0
 00021   484   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   484   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   484   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1385272, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2490368, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   484   NtClose  (16, ... ) == 0x0
 00026   484   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   484   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   484   NtQueryVirtualMemory  (-1, 0x260000, Basic, 28, ... {BaseAddress=0x260000,AllocationBase=0x260000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   484   NtAllocateVirtualMemory  (-1, 2490368, 0, 4096, 4096, 4, ... 2490368, 4096, ) == 0x0
 00031   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 468, 484, 1527, 0} "`F\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 468, 484, 1527, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 468, 484, 1527, 0} "`F\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   484   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   484   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   484   NtClose  (16, ... ) == 0x0
 00036   484   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   484   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x270000), 0x0, 90112, ) == 0x0
 00040   484   NtClose  (28, ... ) == 0x0
 00041   484   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x290000), 0x0, 212992, ) == 0x0
 00044   484   NtClose  (28, ... ) == 0x0
 00045   484   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2d0000), 0x0, 266240, ) == 0x0
 00047   484   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   484   NtClose  (28, ... ) == 0x0
 00049   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x320000), 0x0, 24576, ) == 0x0
 00051   484   NtClose  (28, ... ) == 0x0
 00052   484   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 468, 484, 1538, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 468, 484, 1538, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 468, 484, 1538, 0} "\370\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   484   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 4, ... (0x45c000), 212992, 128, ) == 0x0
 00057   484   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 128, ... (0x45c000), 212992, 4, ) == 0x0
 00058   484   NtFlushInstructionCache  (-1, 4571136, 212992, ... ) == 0x0
 00059   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   484   NtClose  (28, ... ) == 0x0
 00062   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   484   NtClose  (28, ... ) == 0x0
 00065   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   484   NtClose  (28, ... ) == 0x0
 00068   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   484   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   484   NtClose  (28, ... ) == 0x0
 00071   484   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 4, ... (0x45c000), 212992, 64, ) == 0x0
 00072   484   NtProtectVirtualMemory  (-1, (0x45c000), 212992, 64, ... (0x45c000), 212992, 4, ) == 0x0
 00073   484   NtFlushInstructionCache  (-1, 4571136, 212992, ... ) == 0x0
 00074   484   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00075   484   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00076   484   NtClose  (28, ... ) == 0x0
 00077   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00078   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00079   484   NtClose  (28, ... ) == 0x0
 00080   484   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 00081   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00082   484   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00083   484   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00084   484   NtClose  (28, ... ) == 0x0
 00085   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00086   484   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   484   NtClose  (28, ... ) == 0x0
 00088   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00089   484   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00090   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00091   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00092   484   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 468, 484, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 468, 484, 1567, 0}  (24, {28, 56, new_msg, 0, 2, 2147347448, 1246412, 0} "\210\6\32\1\0\0\0\0\314\4\23\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 468, 484, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0!\215\30\34\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00093   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   484   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4a0000), 0x0, 1060864, ) == 0x0
 00095   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00096   484   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00097   484   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482020, ) == 0x0
 00098   484   NtQueryInformationToken  (-2147482020, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00099   484   NtQueryInformationToken  (-2147482020, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00100   484   NtClose  (-2147482020, ... ) == 0x0
 00101   484   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5963776, 4096, ) == 0x0
 00102   484   NtFreeVirtualMemory  (-1, (0x5b0000), 4096, 32768, ... (0x5b0000), 4096, ) == 0x0
 00103   484   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00104   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00105   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00106   484   NtClose  (-2147482020, ... ) == 0x0
 00107   484   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00108   484   NtQueryValueKey  (-2147482020,  (-2147482020, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   484   NtClose  (-2147482020, ... ) == 0x0
 00110   484   NtQueryDefaultLocale  (0, -130840052, ... ) == 0x0
 00111   484   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00112   484   NtUserCallNoParam  (24, ... ) == 0x0
 00113   484   NtGdiCreateCompatibleDC  (0, ...
 00114   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5963776, 4096, ) == 0x0
 00113   484   NtGdiCreateCompatibleDC  ... ) == 0xe010448
 00115   484   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00116   484   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00117   484   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00118   484   NtGdiCreateSolidBrush  (0, 0, ...
 00119   484   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 9175040, 4096, ) == 0x0
 00118   484   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00120   484   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00121   484   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00122   484   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00123   484   NtUserGetThreadDesktop  (484, 0, ... ) == 0x2c
 00124   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00125   484   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00126   484   NtClose  (52, ... ) == 0x0
 00127   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00128   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00129   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00130   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00131   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00132   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00133   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00134   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00135   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00136   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00137   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00138   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00139   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00140   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00141   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00142   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00143   484   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00144   484   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00145   484   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00146   484   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00147   484   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00148   484   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ...
 00149   484   NtAllocateVirtualMemory  (-1, 6139904, 0, 4096, 4096, 32, ... 6139904, 4096, ) == 0x0
 00148   484   NtUserRegisterClassExWOW  ... ) == 0x810cc024
 00150   484   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00151   484   NtCallbackReturn  (0, 0, 0, ...
 00152   484   NtGdiInit  (... ) == 0x1
 00153   484   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00154   484   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00155   484   NtAllocateVirtualMemory  (-1, 0, 0, 18306, 4096, 4, ... 9240576, 20480, ) == 0x0
 00156   484   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 20480, ) == 0x0
 00157   484   NtQueryVirtualMemory  (-1, 0x401000, Basic, 52, ... {BaseAddress=0x401000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x22000,State=0x1000,Protect=0x80,Type=0x1000000,}, 28, ) == 0x0
 00158   484   NtQueryVirtualMemory  (-1, 0x451e53, Basic, 28, ... {BaseAddress=0x451000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0xb000,State=0x1000,Protect=0x4,Type=0x1000000,}, 28, ) == 0x0
 00159   484   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 00160   484   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00161   484   NtProtectVirtualMemory  (-1, (0x4001f8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00162   484   NtProtectVirtualMemory  (-1, (0x400220), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00163   484   NtProtectVirtualMemory  (-1, (0x400220), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00164   484   NtProtectVirtualMemory  (-1, (0x400248), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00165   484   NtProtectVirtualMemory  (-1, (0x400248), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00166   484   NtProtectVirtualMemory  (-1, (0x400270), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00167   484   NtProtectVirtualMemory  (-1, (0x400270), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00168   484   NtProtectVirtualMemory  (-1, (0x400298), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00169   484   NtProtectVirtualMemory  (-1, (0x400298), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00170   484   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00171   484   NtProtectVirtualMemory  (-1, (0x4002c0), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00172   484   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00173   484   NtProtectVirtualMemory  (-1, (0x4002e8), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00174   484   NtProtectVirtualMemory  (-1, (0x400310), 40, 4, ... (0x400000), 4096, 2, ) == 0x0
 00175   484   NtProtectVirtualMemory  (-1, (0x400310), 40, 2, ... (0x400000), 4096, 4, ) == 0x0
 00176   484   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00177   484   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00178   484   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100b0, 0x100ae, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00179   484   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00180   484   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00181   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1896, 0}, ... 52, ) == 0x0
 00182   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00183   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00184   484   NtContinue  (-130843492, 0, ...
 00183   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00185   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00186   484   NtContinue  (-130843492, 0, ...
 00185   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00187   484   NtClose  (52, ... ) == 0x0
 00188   484   NtUserQueryWindow  (65758, 0, ... ) == 0x768
 00189   484   NtUserQueryWindow  (65758, 1, ... ) == 0x778
 00190   484   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 00191   484   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 00192   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2004, 0}, ... 52, ) == 0x0
 00193   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \1\0\0", 64, ) , 64, ) == 0x0
 00194   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00195   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00196   484   NtClose  (52, ... ) == 0x0
 00197   484   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 00198   484   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 00199   484   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 00200   484   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 00201   484   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 00202   484   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 00203   484   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 00204   484   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 00205   484   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00206   484   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00207   484   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00208   484   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00209   484   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00210   484   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00211   484   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00212   484   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00213   484   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00214   484   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00215   484   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00216   484   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00217   484   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 00218   484   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 00219   484   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00220   484   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00221   484   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00222   484   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00223   484   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00224   484   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00225   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {616, 0}, ... 52, ) == 0x0
 00226   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00227   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00228   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00229   484   NtClose  (52, ... ) == 0x0
 00230   484   NtUserQueryWindow  (65754, 0, ... ) == 0x13c
 00231   484   NtUserQueryWindow  (65754, 1, ... ) == 0x170
 00232   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {316, 0}, ... 52, ) == 0x0
 00233   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00234   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00235   484   NtContinue  (-130843492, 0, ...
 00234   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00236   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00237   484   NtContinue  (-130843492, 0, ...
 00236   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00238   484   NtClose  (52, ... ) == 0x0
 00239   484   NtUserQueryWindow  (65746, 0, ... ) == 0x13c
 00240   484   NtUserQueryWindow  (65746, 1, ... ) == 0x170
 00241   484   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 00242   484   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 00243   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2020, 0}, ... 52, ) == 0x0
 00244   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0", 64, ) , 64, ) == 0x0
 00245   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\377\0\377\377", 4, ) , 4, ) == 0x0
 00246   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\210fvx\210x\206wfvGe$\306d\21\26\210ls\210\210\250g\207\210hhx\207xhvwdfF|d\21\27\210\206hx\250\252\206\210\207v\207\210x\207\207gfv4F\306G\21\21\210\206\207\210\212\250\250h\210\207x\210\210wvwgFD$d!\21\21x\250g\210\212\252\250\206\210\207w\210\207\207wvvgBGd\21\21\21\210\212\203\210\250\252\212\210x\210w\210\210xwgcd%F\1\21\21\21\27\212\250\210\212\252\252\210f\210\207x\210\207w7fR@`\21\21\21\21\21\210\2508\212\252\250\250\210gw\21088vvu$$!\21\21\21\21\21\30\210\210\210\212\252\210\206vgw\210\203wsb`\7\21\21\21\21\21\21\21\210\203\210\210\210\210\207vvwwwsf4\7\21\21\21\21\21\21\21\21\30\210\210\210\210\210wGwvwww5\2\21\21\21\21\21\21", 256, ) , 256, ) == 0x0
 00247   484   NtClose  (52, ... ) == 0x0
 00248   484   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 00249   484   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 00250   484   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 00251   484   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 00252   484   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 00253   484   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 00254   484   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 00255   484   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 00256   484   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 00257   484   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 00258   484   NtUserQueryWindow  (131172, 0, ... ) == 0x7f0
 00259   484   NtUserQueryWindow  (131172, 1, ... ) == 0x7f4
 00260   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {2032, 0}, ... 52, ) == 0x0
 00261   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "\301\0\0\0\0\1\0\0\377\356\377\356\11\0\0\0\11\0\0\0\0\376\0\0\0\0\20\0\0 \0\0\0\2\0\0\0 \0\0q\0\0\0\377\357\375\177\0\0\10\6\0\0\0\0\0\0\0\0\0\0\0\0", 64, ) , 64, ) == 0x0
 00262   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...  (52, 0x4b1c86, 4, ... "\0\0\0\0", 4, ) , 4, ) == 0x0
 00263   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...  (52, 0x4c91a0, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 00264   484   NtClose  (52, ... ) == 0x0
 00265   484   NtUserQueryWindow  (65742, 0, ... ) == 0x768
 00266   484   NtUserQueryWindow  (65742, 1, ... ) == 0x1a4
 00267   484   NtUserQueryWindow  (65732, 0, ... ) == 0x768
 00268   484   NtUserQueryWindow  (65732, 1, ... ) == 0x1a4
 00269   484   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00270   484   NtUserQueryWindow  (65730, 1, ... ) == 0x778
 00271   484   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 00272   484   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 00273   484   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 00274   484   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 00275   484   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 00276   484   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 00277   484   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 00278   484   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 00279   484   NtOpenProcess  (0x10, {24, 0, 0x0, 0, 0, 0x0}, {1996, 0}, ... 52, ) == 0x0
 00280   484   NtReadVirtualMemory  (52, 0x400000, 64, ...  (52, 0x400000, 64, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0", 64, ) , 64, ) == 0x0
 00281   484   NtReadVirtualMemory  (52, 0x4b1c86, 4, ...
 00282   484   NtContinue  (-130843492, 0, ...
 00281   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00283   484   NtReadVirtualMemory  (52, 0x4c91a0, 256, ...
 00284   484   NtContinue  (-130843492, 0, ...
 00283   484   NtReadVirtualMemory  ... ) == STATUS_PARTIAL_COPY
 00285   484   NtClose  (52, ... ) == 0x0
 00286   484   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00287   484   NtUserQueryWindow  (65644, 1, ... ) == 0x798
 00288   484   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00289   484   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00290   484   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00291   484   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00292   484   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00293   484   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00294   484   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 00295   484   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 00296   484   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00297   484   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00298   484   NtRaiseException  (1242696, 1241956, 1, ...
 00299   484   NtContinue  (1240752, 0, ...
 00300   484   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00301   484   NtOpenMutant  (0x120001, {24, 52, 0x2, 0, 0,  (0x120001, {24, 52, 0x2, 0, 0, "DBWinMutex"}, ... 56, ) }, ... 56, ) == 0x0
 00302   484   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00303   484   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00304   484   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00305   484   NtDuplicateObject  (-1, 2486, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00306   484   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00307   484   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00308   484   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100b0, 0x100ae, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00309   484   NtUserFindWindowEx  (0, 0,  (0, 0, "OLLYDBG", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00310   484   NtUserFindWindowEx  (0, 0,  (0, 0, "WispWindowClass", 0x0, 0, ... ) , 0x0, 0, ... ) == 0x0
 00311   484   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100b0, 0x100ae, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00312   484   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 00313   484   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 00314   484   NtUserQueryWindow  (65758, 0, ... ) == 0x768
 00315   484   NtUserQueryWindow  (65758, 1, ... ) == 0x778
 00316   484   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 00317   484   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 00318   484   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 00319   484   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 00320   484   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 00321   484   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 00322   484   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 00323   484   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 00324   484   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 00325   484   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 00326   484   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 00327   484   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 00328   484   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 00329   484   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 00330   484   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 00331   484   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 00332   484   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 00333   484   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 00334   484   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 00335   484   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 00336   484   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 00337   484   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 00338   484   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 00339   484   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 00340   484   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 00341   484   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 00342   484   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 00343   484   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 00344   484   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 00345   484   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 00346   484   NtUserQueryWindow  (65754, 0, ... ) == 0x13c
 00347   484   NtUserQueryWindow  (65754, 1, ... ) == 0x170
 00348   484   NtUserQueryWindow  (65746, 0, ... ) == 0x13c
 00349   484   NtUserQueryWindow  (65746, 1, ... ) == 0x170
 00350   484   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 00351   484   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 00352   484   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 00353   484   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 00354   484   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 00355   484   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 00356   484   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 00357   484   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 00358   484   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 00359   484   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 00360   484   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 00361   484   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 00362   484   NtUserQueryWindow  (131172, 0, ... ) == 0x7f0
 00363   484   NtUserQueryWindow  (131172, 1, ... ) == 0x7f4
 00364   484   NtUserQueryWindow  (65742, 0, ... ) == 0x768
 00365   484   NtUserQueryWindow  (65742, 1, ... ) == 0x1a4
 00366   484   NtUserQueryWindow  (65732, 0, ... ) == 0x768
 00367   484   NtUserQueryWindow  (65732, 1, ... ) == 0x1a4
 00368   484   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 00369   484   NtUserQueryWindow  (65730, 1, ... ) == 0x778
 00370   484   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 00371   484   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 00372   484   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 00373   484   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 00374   484   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 00375   484   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 00376   484   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 00377   484   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 00378   484   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 00379   484   NtUserQueryWindow  (65644, 1, ... ) == 0x798
 00380   484   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 00381   484   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 00382   484   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 00383   484   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 00384   484   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 00385   484   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 00386   484   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 00387   484   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 00388   484   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 00389   484   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 00390   484   NtRaiseException  (1242640, 1241900, 1, ...
 00391   484   NtContinue  (1240696, 0, ...
 00392   484   NtWaitForSingleObject  (56, 0, 0x0, ... ) == 0x0
 00393   484   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "DBWIN_BUFFER"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00394   484   NtReleaseMutant  (56, ... 0x0, ) == 0x0
 00395   484   NtDuplicateObject  (-1, 3102, -1, 0x0, 0, 2, ... ) == STATUS_INVALID_HANDLE
 00396   484   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00397   484   NtClose  (0, ... ) == STATUS_INVALID_HANDLE
 00398   484   NtUserBuildHwndList  (0, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100b0, 0x100ae, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 40, ) == 0x0
 00399   484   NtSetSecurityObject  (-1, 4, {1, 0, 0x4, 0, 0, 0, 1242476}, ... ) == 0x0
 00400   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00401   484   NtQueryValueKey  (60,  (60, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00402   484   NtClose  (60, ... ) == 0x0
 00403   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPR.dll"}, ... 60, ) }, ... 60, ) == 0x0
 00404   484   NtMapViewOfSection  (60, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00405   484   NtClose  (60, ... ) == 0x0
 00406   484   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 60, ) == 0x0
 00407   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00408   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 68, ) }, ... 68, ) == 0x0
 00409   484   NtNotifyChangeKey  (68, 64, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00410   484   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00411   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 72, ) == 0x0
 00412   484   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 76, ) == 0x0
 00413   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ODBC32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00414   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00415   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00416   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00417   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ODBC32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00418   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 84, ) == 0x0
 00419   484   NtQuerySection  (84, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00420   484   NtOpenProcessToken  (-1, 0x8, ... 88, ) == 0x0
 00421   484   NtQueryInformationToken  (88, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00422   484   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00423   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 92, ) }, ... 92, ) == 0x0
 00424   484   NtQueryValueKey  (92,  (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (92, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00425   484   NtClose  (92, ... ) == 0x0
 00426   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00427   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 92, ) == 0x0
 00428   484   NtQueryInformationToken  (92, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00429   484   NtClose  (92, ... ) == 0x0
 00430   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00431   484   NtClose  (88, ... ) == 0x0
 00432   484   NtClose  (80, ... ) == 0x0
 00433   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f7b0000), 0x0, 200704, ) == 0x0
 00434   484   NtClose  (84, ... ) == 0x0
 00435   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "COMCTL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00436   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00437   484   NtClose  (84, ... ) == 0x0
 00438   484   NtProtectVirtualMemory  (-1, (0x1f7b1000), 724, 4, ... (0x1f7b1000), 4096, 32, ) == 0x0
 00439   484   NtProtectVirtualMemory  (-1, (0x1f7b1000), 4096, 32, ... (0x1f7b1000), 4096, 4, ) == 0x0
 00440   484   NtFlushInstructionCache  (-1, 528158720, 724, ... ) == 0x0
 00441   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comdlg32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00442   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x763b0000), 0x0, 282624, ) == 0x0
 00443   484   NtClose  (84, ... ) == 0x0
 00444   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00445   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00446   484   NtClose  (84, ... ) == 0x0
 00447   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00448   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00449   484   NtClose  (84, ... ) == 0x0
 00450   484   NtProtectVirtualMemory  (-1, (0x763b1000), 1536, 4, ... (0x763b1000), 4096, 32, ) == 0x0
 00451   484   NtProtectVirtualMemory  (-1, (0x763b1000), 4096, 32, ... (0x763b1000), 4096, 4, ) == 0x0
 00452   484   NtFlushInstructionCache  (-1, 1983582208, 1536, ... ) == 0x0
 00453   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHELL32.dll"}, ... 84, ) }, ... 84, ) == 0x0
 00454   484   NtMapViewOfSection  (84, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00455   484   NtClose  (84, ... ) == 0x0
 00456   484   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {468, 0}, ... 84, ) == 0x0
 00457   484   NtQueryInformationProcess  (84, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00458   484   NtClose  (84, ... ) == 0x0
 00459   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00460   484   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00461   484   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00462   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00463   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00464   484   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00465   484   NtClose  (84, ... ) == 0x0
 00466   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 84, ) }, ... 84, ) == 0x0
 00467   484   NtSetInformationObject  (84, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00468   484   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 80, ) }, ... 80, ) == 0x0
 00469   484   NtQueryValueKey  (80,  (80, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00470   484   NtClose  (80, ... ) == 0x0
 00471   484   NtUserSystemParametersInfo  (41, 500, 1241216, 0, ... ) == 0x1
 00472   484   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00473   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00474   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00475   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03b
 00476   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00477   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03d
 00478   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00479   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00480   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc03f
 00481   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00482   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00483   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc041
 00484   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00485   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00486   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc043
 00487   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00488   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc045
 00489   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00490   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00491   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc047
 00492   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00493   484   NtUserFindExistingCursorIcon  (1241004, 1241020, 1241588, ... ) == 0x10011
 00494   484   NtUserRegisterClassExWOW  (1241456, 1241536, 1241520, 1241552, 0, 384, 0, ... ) == 0x810cc049
 00495   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00496   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00497   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04b
 00498   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00499   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00500   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04d
 00501   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00502   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00503   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc04f
 00504   484   NtUserGetClassInfo  (1999896576, 1241628, 1241580, 1241656, 0, ... ) == 0x0
 00505   484   NtUserRegisterClassExWOW  (1241464, 1241544, 1241528, 1241560, 0, 384, 0, ... ) == 0x810cc051
 00506   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00507   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00508   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc053
 00509   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00510   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00511   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc055
 00512   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc057
 00513   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00514   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00515   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc059
 00516   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00517   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10013
 00518   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05b
 00519   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00520   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00521   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05d
 00522   484   NtUserGetClassInfo  (1999896576, 1241624, 1241576, 1241652, 0, ... ) == 0x0
 00523   484   NtUserFindExistingCursorIcon  (1241008, 1241024, 1241592, ... ) == 0x10011
 00524   484   NtUserRegisterClassExWOW  (1241460, 1241540, 1241524, 1241556, 0, 384, 0, ... ) == 0x810cc05f
 00525   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00526   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 00527   484   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 00528   484   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 00529   484   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 80, ) }, ... 80, ) == 0x0
 00530   484   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x8e0000), 0x0, 12288, ) == 0x0
 00531   484   NtClose  (80, ... ) == 0x0
 00532   484   NtAllocateVirtualMemory  (-1, 9252864, 0, 4096, 4096, 4, ... 9252864, 4096, ) == 0x0
 00533   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00534   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 80, ) }, ... 80, ) == 0x0
 00535   484   NtQueryValueKey  (80,  (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00536   484   NtClose  (80, ... ) == 0x0
 00537   484   NtQueryDefaultUILanguage  (1239840, ...
 00538   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00539   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00540   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00541   484   NtClose  (-2147482020, ... ) == 0x0
 00542   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00543   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00545   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00546   484   NtClose  (-2147482032, ... ) == 0x0
 00547   484   NtClose  (-2147482020, ... ) == 0x0
 00537   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00548   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00549   484   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00550   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00551   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 88, ) == 0x0
 00552   484   NtMapViewOfSection  (88, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 8323072, ) == 0x0
 00553   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00554   484   NtQueryDefaultUILanguage  (2013024600, ...
 00555   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00556   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00557   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00558   484   NtClose  (-2147482020, ... ) == 0x0
 00559   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00560   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00561   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00562   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00563   484   NtClose  (-2147482032, ... ) == 0x0
 00564   484   NtClose  (-2147482020, ... ) == 0x0
 00554   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00565   484   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00566   484   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00567   484   NtQueryDefaultLocale  (1, 1237876, ... ) == 0x0
 00568   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00569   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1579, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 468, 484, 1579, 0}  (24, {128, 156, new_msg, 0, 1238732, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1579, 0} " S\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1P\0\0\0\377\377\377\377\0\0\0\0\20\311\306\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\314\355\22\0\0\0\0\0" )  ) == 0x0
 00570   484   NtClose  (80, ... ) == 0x0
 00571   484   NtClose  (88, ... ) == 0x0
 00572   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00573   484   NtUnmapViewOfSection  (-1, 0x12edcc, ... ) == STATUS_NOT_MAPPED_VIEW
 00574   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00575   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00576   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00577   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00578   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236960, ... ) }, 1236960, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00579   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00580   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00581   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00582   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237552, ... ) }, 1237552, ... ) == 0x0
 00583   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 88, {status=0x0, info=1}, ) }, 3, 33, ... 88, {status=0x0, info=1}, ) == 0x0
 00584   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00585   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00586   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00587   484   NtClose  (80, ... ) == 0x0
 00588   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 921600, ) == 0x0
 00589   484   NtClose  (92, ... ) == 0x0
 00590   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00591   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00592   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 92, ... 80, ) == 0x0
 00593   484   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00594   484   NtClose  (92, ... ) == 0x0
 00595   484   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00596   484   NtClose  (80, ... ) == 0x0
 00597   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00598   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00599   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00600   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00601   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00602   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00603   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00604   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00605   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00606   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00607   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00608   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00609   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00610   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00611   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00612   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00613   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00614   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00615   484   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00616   484   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00617   484   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00618   484   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1238736, ... ) , 42, 1238736, ... ) == 0x0
 00619   484   NtQueryDefaultUILanguage  (1237452, ...
 00620   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00621   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00622   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00623   484   NtClose  (-2147482020, ... ) == 0x0
 00624   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00625   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00626   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00627   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00628   484   NtClose  (-2147482032, ... ) == 0x0
 00629   484   NtClose  (-2147482020, ... ) == 0x0
 00619   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00630   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00631   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1236304, ... ) }, 1236304, ... ) == 0x0
 00632   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00633   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 80, ... 92, ) == 0x0
 00634   484   NtClose  (80, ... ) == 0x0
 00635   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00636   484   NtClose  (92, ... ) == 0x0
 00637   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00638   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1235944, ... ) }, 1235944, ... ) == 0x0
 00639   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1236644,  (0x80100080, {24, 0, 0x40, 0, 1236644, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00640   484   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 92, ... 80, ) == 0x0
 00641   484   NtClose  (92, ... ) == 0x0
 00642   484   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8f0000), {0, 0}, 4096, ) == 0x0
 00643   484   NtClose  (80, ... ) == 0x0
 00644   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00645   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 80, {status=0x0, info=1}, ) }, 1, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00646   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 80, ... 92, ) == 0x0
 00647   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8f0000), 0x0, 4096, ) == 0x0
 00648   484   NtQueryInformationFile  (80, 1236264, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00649   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00650   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1580, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 468, 484, 1580, 0}  (24, {128, 156, new_msg, 0, 1236344, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1580, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1P\0\0\0\\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0x\344\22\0\0\0\0\0" )  ) == 0x0
 00651   484   NtClose  (80, ... ) == 0x0
 00652   484   NtClose  (92, ... ) == 0x0
 00653   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 00654   484   NtUnmapViewOfSection  (-1, 0x12e478, ... ) == STATUS_NOT_MAPPED_VIEW
 00655   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00656   484   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00657   484   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00658   484   NtUserGetDC  (0, ... ) == 0x1010052
 00659   484   NtUserCallOneParam  (16842834, 56, ... ) == 0x1
 00660   484   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00661   484   NtUserSystemParametersInfo  (66, 12, 1238756, 0, ... ) == 0x1
 00662   484   NtOpenProcessToken  (-1, 0x8, ... 92, ) == 0x0
 00663   484   NtAccessCheck  (1393640, 92, 0x1, 1238160, 1238104, 56, 1238188, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00664   484   NtClose  (92, ... ) == 0x0
 00665   484   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "Control Panel\Desktop"}, ... 92, ) }, ... 92, ) == 0x0
 00666   484   NtQueryValueKey  (92,  (92, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00667   484   NtClose  (92, ... ) == 0x0
 00668   484   NtUserSystemParametersInfo  (41, 500, 1238256, 0, ... ) == 0x1
 00669   484   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 00670   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 92, ) }, ... 92, ) == 0x0
 00671   484   NtQueryValueKey  (92,  (92, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00672   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 80, ) }, ... 80, ) == 0x0
 00673   484   NtQueryValueKey  (80,  (80, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00674   484   NtClose  (80, ... ) == 0x0
 00675   484   NtClose  (92, ... ) == 0x0
 00676   484   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00677   484   NtUserSystemParametersInfo  (4130, 0, 1238780, 0, ... ) == 0x1
 00678   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 92, ) }, ... 92, ) == 0x0
 00679   484   NtEnumerateValueKey  (92, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00680   484   NtClose  (92, ... ) == 0x0
 00681   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00682   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03b
 00683   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc03d
 00684   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00685   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc03f
 00686   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00687   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc041
 00688   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00689   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc043
 00690   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc045
 00691   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00692   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc047
 00693   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00694   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ...
 00695   484   NtAllocateVirtualMemory  (-1, 6144000, 0, 4096, 4096, 32, ... 6144000, 4096, ) == 0x0
 00694   484   NtUserRegisterClassExWOW  ... ) == 0x810cc049
 00696   484   NtUserGetClassInfo  (1905590272, 1238676, 1238628, 1238704, 0, ... ) == 0xc049
 00697   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00698   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04b
 00699   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00700   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04d
 00701   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00702   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc04f
 00703   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc051
 00704   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00705   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc053
 00706   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00707   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc055
 00708   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc057
 00709   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00710   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc059
 00711   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10013
 00712   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05b
 00713   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00714   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05d
 00715   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00716   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc05f
 00717   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00718   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc017
 00719   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00720   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc019
 00721   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10013
 00722   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc018
 00723   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00724   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01a
 00725   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00726   484   NtUserRegisterClassExWOW  (1238512, 1238592, 1238576, 1238608, 0, 384, 0, ... ) == 0x810cc01c
 00727   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00728   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc01e
 00729   484   NtUserFindExistingCursorIcon  (1238060, 1238076, 1238644, ... ) == 0x10011
 00730   484   NtUserRegisterClassExWOW  (1238572, 1238652, 1238636, 1238668, 0, 384, 0, ... ) == 0x810cc01b
 00731   484   NtUserFindExistingCursorIcon  (1238056, 1238072, 1238640, ... ) == 0x10011
 00732   484   NtUserRegisterClassExWOW  (1238568, 1238648, 1238632, 1238664, 0, 384, 0, ... ) == 0x810cc068
 00733   484   NtUserFindExistingCursorIcon  (1238064, 1238080, 1238648, ... ) == 0x10011
 00734   484   NtUserRegisterClassExWOW  (1238516, 1238596, 1238580, 1238612, 0, 384, 0, ... ) == 0x810cc06a
 00735   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03b
 00736   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03d
 00737   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc03f
 00738   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc041
 00739   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc043
 00740   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc045
 00741   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc047
 00742   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc049
 00743   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04b
 00744   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04d
 00745   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc04f
 00746   484   NtUserGetClassInfo  (1999896576, 1241580, 1241532, 1241608, 0, ... ) == 0xc051
 00747   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc053
 00748   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc055
 00749   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc059
 00750   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05b
 00751   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05d
 00752   484   NtUserGetClassInfo  (1999896576, 1241576, 1241528, 1241604, 0, ... ) == 0xc05f
 00753   484   NtUserRegisterWindowMessage  ( ("WOWLFChange", ... ) , ... ) == 0xc06b
 00754   484   NtUserRegisterWindowMessage  ( ("WOWDirChange", ... ) , ... ) == 0xc06c
 00755   484   NtUserRegisterWindowMessage  ( ("WOWCHOOSEFONT_GETLOGFONT", ... ) , ... ) == 0xc06d
 00756   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00757   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00758   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00759   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00760   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00761   484   NtUserRegisterWindowMessage  ( ("commdlg_LBSelChangedNotify", ... ) , ... ) == 0xc06e
 00762   484   NtUserRegisterWindowMessage  ( ("commdlg_ShareViolation", ... ) , ... ) == 0xc06f
 00763   484   NtUserRegisterWindowMessage  ( ("commdlg_FileNameOK", ... ) , ... ) == 0xc070
 00764   484   NtUserRegisterWindowMessage  ( ("commdlg_ColorOK", ... ) , ... ) == 0xc071
 00765   484   NtUserRegisterWindowMessage  ( ("commdlg_SetRGBColor", ... ) , ... ) == 0xc072
 00766   484   NtUserRegisterWindowMessage  ( ("Shell IDList Array", ... ) , ... ) == 0xc073
 00767   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00768   484   NtUserRegisterWindowMessage  ( ("commdlg_help", ... ) , ... ) == 0xc074
 00769   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\MDAC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00771   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00772   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00773   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9502720, 262144, ) == 0x0
 00774   484   NtAllocateVirtualMemory  (-1, 9502720, 0, 4096, 4096, 4, ... 9502720, 4096, ) == 0x0
 00775   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00776   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9764864, 262144, ) == 0x0
 00777   484   NtAllocateVirtualMemory  (-1, 9764864, 0, 4096, 4096, 4, ... 9764864, 4096, ) == 0x0
 00778   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00779   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10027008, 262144, ) == 0x0
 00780   484   NtAllocateVirtualMemory  (-1, 10027008, 0, 4096, 4096, 4, ... 10027008, 4096, ) == 0x0
 00781   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00782   484   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 10289152, 262144, ) == 0x0
 00783   484   NtAllocateVirtualMemory  (-1, 10289152, 0, 4096, 4096, 4, ... 10289152, 4096, ) == 0x0
 00784   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00785   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00786   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00787   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00788   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237456, ... ) }, 1237456, ... ) == 0x0
 00789   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00790   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 80, ) == 0x0
 00791   484   NtClose  (92, ... ) == 0x0
 00792   484   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa10000), 0x0, 90112, ) == 0x0
 00793   484   NtClose  (80, ... ) == 0x0
 00794   484   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00795   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 1237772, ... ) }, 1237772, ... ) == 0x0
 00796   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\odbcint.dll"}, 5, 96, ... 80, {status=0x0, info=1}, ) }, 5, 96, ... 80, {status=0x0, info=1}, ) == 0x0
 00797   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 80, ... 92, ) == 0x0
 00798   484   NtQuerySection  (92, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00799   484   NtClose  (80, ... ) == 0x0
 00800   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x1f850000), 0x0, 90112, ) == 0x0
 00801   484   NtClose  (92, ... ) == 0x0
 00802   484   NtQueryDefaultLocale  (1, 1239460, ... ) == 0x0
 00803   484   NtAllocateVirtualMemory  (-1, 9506816, 0, 4096, 4096, 4, ... 9506816, 4096, ) == 0x0
 00804   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE"}, ... 92, ) }, ... 92, ) == 0x0
 00805   484   NtClose  (92, ... ) == 0x0
 00806   484   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00808   484   NtOpenKey  (0x20019, {24, 84, 0x40, 0, 0,  (0x20019, {24, 84, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00809   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SOFTWARE\ODBC\ODBC.INI\ODBC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00810   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00811   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00812   484   NtClose  (92, ... ) == 0x0
 00813   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00814   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00815   484   NtClose  (92, ... ) == 0x0
 00816   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00817   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00818   484   NtClose  (92, ... ) == 0x0
 00819   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 92, ) }, ... 92, ) == 0x0
 00820   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00821   484   NtClose  (92, ... ) == 0x0
 00822   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 92, ) }, ... 92, ) == 0x0
 00823   484   NtMapViewOfSection  (92, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00824   484   NtClose  (92, ... ) == 0x0
 00825   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00826   484   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 00827   484   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ... 1404928, 4096, ) == 0x0
 00828   484   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ... 1409024, 4096, ) == 0x0
 00829   484   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1241616, 0,  (0x1f0003, {24, 52, 0x80, 1241616, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00830   484   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 92, ) }, ... 92, ) == 0x0
 00831   484   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ... 1413120, 4096, ) == 0x0
 00832   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00833   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00834   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 80, ) }, ... 80, ) == 0x0
 00835   484   NtQueryValueKey  (80,  (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (80, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00836   484   NtClose  (80, ... ) == 0x0
 00837   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00838   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00839   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00840   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00841   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 80, ) }, ... 80, ) == 0x0
 00842   484   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00843   484   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00844   484   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00845   484   NtClose  (80, ... ) == 0x0
 00846   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 80, ) }, ... 80, ) == 0x0
 00847   484   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00848   484   NtQueryValueKey  (80,  (80, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00849   484   NtClose  (80, ... ) == 0x0
 00850   484   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   484   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00852   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00853   484   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   484   NtAllocateVirtualMemory  (-1, 1417216, 0, 8192, 4096, 4, ... 1417216, 8192, ) == 0x0
 00856   484   NtCreateKey  (0xf003f, {24, 84, 0x40, 0, 0,  (0xf003f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 80, 2, ) }, 0, 0x0, 0, ... 80, 2, ) == 0x0
 00857   484   NtQueryDefaultUILanguage  (1239852, ...
 00858   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00859   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482020, ) == 0x0
 00860   484   NtQueryInformationToken  (-2147482020, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00861   484   NtClose  (-2147482020, ... ) == 0x0
 00862   484   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482020, ) }, ... -2147482020, ) == 0x0
 00863   484   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00864   484   NtOpenKey  (0x80000000, {24, -2147482020, 0x640, 0, 0,  (0x80000000, {24, -2147482020, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00865   484   NtQueryValueKey  (-2147482032,  (-2147482032, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   484   NtClose  (-2147482032, ... ) == 0x0
 00867   484   NtClose  (-2147482020, ... ) == 0x0
 00857   484   NtQueryDefaultUILanguage  ... ) == 0x0
 00868   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00870   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00871   484   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa10000), 0x0, 593920, ) == 0x0
 00872   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   484   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 00874   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00875   484   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1581, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 468, 484, 1581, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 468, 484, 1581, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0P\275\250\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 00876   484   NtClose  (96, ... ) == 0x0
 00877   484   NtClose  (100, ... ) == 0x0
 00878   484   NtUnmapViewOfSection  (-1, 0xa10000, ... ) == 0x0
 00879   484   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 00880   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00881   484   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00883   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00884   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00885   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00886   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00887   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00888   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 00889   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00890   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00891   484   NtCreateKey  (0x2001f, {24, 84, 0x40, 0, 0,  (0x2001f, {24, 84, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 96, 2, ) }, 0, 0x0, 0, ... 96, 2, ) == 0x0
 00892   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241484, ... ) }, 1241484, ... ) == 0x0
 00896   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00897   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 108, ) == 0x0
 00898   484   NtQuerySection  (108, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00899   484   NtClose  (104, ... ) == 0x0
 00900   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00901   484   NtClose  (108, ... ) == 0x0
 00902   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00904   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 00906   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 108, {status=0x0, info=1}, ) }, 5, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00907   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 108, ... 104, ) == 0x0
 00908   484   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00909   484   NtClose  (108, ... ) == 0x0
 00910   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00911   484   NtClose  (104, ... ) == 0x0
 00912   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00913   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00914   484   NtTestAlert  (... ) == 0x0
 00915   484   NtContinue  (1244464, 1, ...
 00916   484   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x48f155,}, 4, ... ) == 0x0
 00917   484   NtQueryPerformanceCounter  (... {102660380, 0}, {3579545, 0}, ) == 0x0
 00918   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00919   484   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10551296, 65536, ) == 0x0
 00920   484   NtAllocateVirtualMemory  (-1, 10551296, 0, 4096, 4096, 4, ... 10551296, 4096, ) == 0x0
 00921   484   NtAllocateVirtualMemory  (-1, 10555392, 0, 8192, 4096, 4, ... 10555392, 8192, ) == 0x0
 00922   484   NtAllocateVirtualMemory  (-1, 10563584, 0, 4096, 4096, 4, ... 10563584, 4096, ) == 0x0
 00923   484   NtAllocateVirtualMemory  (-1, 10567680, 0, 4096, 4096, 4, ... 10567680, 4096, ) == 0x0
 00924   484   NtAllocateVirtualMemory  (-1, 0, 0, 6, 12288, 64, ... 10616832, 4096, ) == 0x0
 00925   484   NtProtectVirtualMemory  (-1, (0xa20000), 6, 64, ...
 00926   484   NtContinue  (-130842836, 0, ...
 00925   484   NtProtectVirtualMemory  ... ) == STATUS_ACCESS_VIOLATION
 00927   484   NtFreeVirtualMemory  (-1, (0xa20000), 0, 32768, ... (0xa20000), 4096, ) == 0x0
 00928   484   NtCreateKey  (0xf003f, {24, 28, 0x40, 0, 0,  (0xf003f, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 104, 2, ) }, 0, 0x0, 0, ... 104, 2, ) == 0x0
 00929   484   NtDeleteValueKey  (104,  (104, "Win32 Help Service", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   484   NtClose  (104, ... ) == 0x0
 00931   484   NtCreateFile  (0x40100080, {24, 0, 0x42, 0, 1241344,  (0x40100080, {24, 0, 0x42, 0, 1241344, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 0x0, 128, 3, 5, 96, 0, 0, ... }, 0x0, 128, 3, 5, 96, 0, 0, ...
 00932   484   NtClose  (-2147482020, ... ) == 0x0
 00931   484   NtCreateFile  ... 104, {status=0x0, info=2}, ) == 0x0
 00933   484   NtQueryVolumeInformationFile  (104, 1241448, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00934   484   NtAllocateVirtualMemory  (-1, 10571776, 0, 8192, 4096, 4, ... 10571776, 8192, ) == 0x0
 00935   484   NtWriteFile  (104, 0, 0, 0,  (104, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (104, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) u:\work\packed.exe (104, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) %0 (104, 0, 0, 0, "@echo off\15\15\12:1\15\15\12del "u:\work\packed.exe"\15\15\12if exist "u:\work\packed.exe" goto 1\15\15\12del "%0"\15\15\12", 94, 0x0, 0, ... {status=0x0, info=94}, ) , 94, 0x0, 0, ... {status=0x0, info=94}, ) == 0x0
 00936   484   NtClose  (104, ... ) == 0x0
 00937   484   NtOpenKey  (0x9, {24, 28, 0x40, 0, 0,  (0x9, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1235044, ... ) }, 1235044, ... ) == 0x0
 00939   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00940   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 108, ) == 0x0
 00941   484   NtClose  (104, ... ) == 0x0
 00942   484   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 262144, ) == 0x0
 00943   484   NtClose  (108, ... ) == 0x0
 00944   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00945   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00946   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00947   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00948   484   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 00949   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... 108, {status=0x0, info=0}, ) }, 7, 16, ... 108, {status=0x0, info=0}, ) == 0x0
 00950   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, ", 256, 256, ... , 256, 256, ...
 00951   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 00952   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 00953   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 00954   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 00955   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 00956   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 00957   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 00958   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 00959   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\210\22\315\261\230\13\210f\235\347\277\25H\20P\22\304\0;\34\210J\312\304\350\32\254\10\272\325*Lx\0j\24\302,\5\11G\342r\217?\276;\225+kvR13\212\273\263G\274[\335\267\237o\367\320\317\256n\177\254\260\16K\361\7\317\326", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\210\22\315\261\230\13\210f\235\347\277\25H\20P\22\304\0;\34\210J\312\304\350\32\254\10\272\325*Lx\0j\24\302,\5\11G\342r\217?\276;\225+kvR13\212\273\263G\274[\335\267\237o\367\320\317\256n\177\254\260\16K\361\7\317\326", 80, ... ) , 80, ... ) == 0x0
 00960   484   NtClose  (-2147482020, ... ) == 0x0
 00950   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "5\362;\3572\257\34\322\35r\315\251\276N]9j\371\225\251\337\305\2039T\352\311\261[O\23\360\201\213\266?\252\354\351\26\304\374:ky\20\346Nr?\214\7\10\376eEe\310\30\210\326\354\221\323r>\325\272G\4x\322\30D\305.h\374\25\5h\23F\254PJ\14\245W\234\217\365\37\356Q\266\370\275\11\330\227E\207\304}A\\227I\212j\370\11(n\206\232\245>\31\270v}\33CE\311zQpF\301\225\233\330A\301\313nh\353A8\355($\251\341\321\300XN\\263\273\377nE\325 g.\345\34D)\353\230\13W\305\373C\4\266\30\204\23\231C\245\15\355DPc\7C\243\274KW\230+s?\265\210\205\30{>\226~\256\263\21c/\332\257\220\223\255~KX\255v\250\262g\252\223\367|\226Z\363\350\364\305.(\215`a\310\12IZ<\217C\367\14\206v\320\374\234\354\356[", ) , ) == 0x0
 00961   484   NtAllocateVirtualMemory  (-1, 1429504, 0, 16384, 4096, 4, ... 1429504, 16384, ) == 0x0
 00962   484   NtUserRegisterClassExWOW  (1237128, 1237208, 1237192, 1237224, 0, 384, 0, ... ) == 0x810cc038
 00963   484   NtUserGetAtomName  (49208, 1235892, ... ) == 0x15
 00964   484   NtUserCreateWindowEx  (0, 49208, 49208,  (0, 49208, 49208, "OleMainThreadWndName", -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ... , -2013265920, -2147483648, -2147483648, -2147483648, -2147483648, -3, 0, 1998258176, 0, 1073742848, 0, ...
 00965   484   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 00966   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233416, ... ) }, 1233416, ... ) == 0x0
 00967   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00968   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 104, ... 112, ) == 0x0
 00969   484   NtClose  (104, ... ) == 0x0
 00970   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa20000), 0x0, 204800, ) == 0x0
 00971   484   NtClose  (112, ... ) == 0x0
 00972   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 00973   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1233732, ... ) }, 1233732, ... ) == 0x0
 00974   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 112, {status=0x0, info=1}, ) }, 5, 96, ... 112, {status=0x0, info=1}, ) == 0x0
 00975   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 112, ... 104, ) == 0x0
 00976   484   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00977   484   NtClose  (112, ... ) == 0x0
 00978   484   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00979   484   NtClose  (104, ... ) == 0x0
 00980   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 00981   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 00982   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00983   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00984   484   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00985   484   NtClose  (104, ... ) == 0x0
 00986   484   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 104, ) }, ... 104, ) == 0x0
 00987   484   NtOpenKey  (0x1, {24, 104, 0x40, 0, 0,  (0x1, {24, 104, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 112, ) }, ... 112, ) == 0x0
 00988   484   NtQueryValueKey  (112,  (112, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   484   NtClose  (112, ... ) == 0x0
 00990   484   NtClose  (104, ... ) == 0x0
 00991   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00992   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 104, ) == 0x0
 00993   484   NtQueryInformationToken  (104, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00994   484   NtClose  (104, ... ) == 0x0
 00995   484   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 104, ) }, ... 104, ) == 0x0
 00996   484   NtOpenKey  (0x1, {24, 104, 0x40, 0, 0,  (0x1, {24, 104, 0x40, 0, 0, "Control Panel\Desktop"}, ... 112, ) }, ... 112, ) == 0x0
 00997   484   NtQueryValueKey  (112,  (112, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00998   484   NtClose  (112, ... ) == 0x0
 00999   484   NtClose  (104, ... ) == 0x0
 01000   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1233232, ... ) }, 1233232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01001   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1233232, ... ) }, 1233232, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01002   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1233232, ... ) }, 1233232, ... ) == 0x0
 01003   484   NtUserGetProcessWindowStation  (... ) == 0x28
 01004   484   NtUserGetObjectInformation  (40, 2, 0, 0, 1235528, ... ) == 0x0
 01005   484   NtUserGetObjectInformation  (40, 2, 1442728, 16, 1235528, ... ) == 0x1
 01006   484   NtUserGetGUIThreadInfo  (484, 1235484, ... ) == 0x1
 01007   484   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1235304, 64, ... 104, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1235304, 64, ... 104, 0x0, 0x0, 0x0, 64, ) == 0x0
 01008   484   NtRequestWaitReplyPort  (104, {32, 56, new_msg, 0, 0, 0, 0, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 468, 484, 1583, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1583, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01009   484   NtRequestWaitReplyPort  (104, {32, 56, new_msg, 0, 0, 0, 0, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1584, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 468, 484, 1584, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1584, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01010   484   NtUserCallNoParam  (29, ...
 01011   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232776, ... ) }, 1232776, ... ) == 0x0
 01010   484   NtUserCallNoParam  ... ) == 0x0
 01012   484   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 01013   484   NtGdiHfontCreate  (1234856, 356, 0, 0, 1414696, ... ) == 0x80a0454
 01014   484   NtGdiHfontCreate  (1234856, 356, 0, 0, 1414688, ... ) == 0x60a0455
 01015   484   NtRequestWaitReplyPort  (104, {32, 56, new_msg, 0, 0, 0, 0, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1585, 0} "\0\0\0\0\0\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 468, 484, 1585, 0}  (104, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 468, 484, 1585, 0} "\0\0\0\0\0\0\0\0p\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01016   484   NtMapViewOfSection  (112, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 331776, ) == 0x0
 01017   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01018   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01019   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01020   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01021   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01022   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01023   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01024   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01025   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01026   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01027   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01028   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01029   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01030   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01031   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01032   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01033   484   NtUserGetWindowDC  (0, ... ) == 0x1010051
 01034   484   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100457
 01035   484   NtUserCallOneParam  (16842833, 56, ... ) == 0x1
 01036   484   NtUserCallNoParam  (29, ...
 01037   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232220, ... ) }, 1232220, ... ) == 0x0
 01036   484   NtUserCallNoParam  ... ) == 0x0
 01038   484   NtUserCallNoParam  (29, ...
 01039   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1232216, ... ) }, 1232216, ... ) == 0x0
 01038   484   NtUserCallNoParam  ... ) == 0x0
 01040   484   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12db60, 0, 670, 0, ... ) == 0x1
 01041   484   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12db88, 0, 670, 0, ... ) == 0x0
 01042   484   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00964   484   NtUserCreateWindowEx  ... ) == 0x200b2
 01043   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304E\241\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304E\241\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01044   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01045   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01046   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01047   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01048   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01049   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01050   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01051   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01052   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "([\2721\377\236\34\252$2\226G\30\207\267\241O1a?;\31\216jQu\316\257Ex\327}4\370"f\353\204`e\262\376c\255BI\207@\231\36=\33y@\366\315Yy\327\223\367\237n\372X\275O%\22\312,:\221is\252\370\20%c", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "([\2721\377\236\34\252$2\226G\30\207\267\241O1a?;\31\216jQu\316\257Ex\327}4\370"f\353\204`e\262\376c\255BI\207@\231\36=\33y@\366\315Yy\327\223\367\237n\372X\275O%\22\312,:\221is\252\370\20%c", 80, ... ) f\353\204`e\262\376c\255BI\207@\231\36=\33y@\366\315Yy\327\223\367\237n\372X\275O%\22\312,:\221is\252\370\20%c", 80, ... ) == 0x0
 01053   484   NtClose  (-2147482020, ... ) == 0x0
 01043   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "k\212\3\326\326\303 e\264 \3632p\341\321p\261\222\227r\335k#\230T\274\344\335\200\340\254\201\333w\277&K\201ut\263\240j\345T\211\263x\234\14\33\301y\10\202\274\6q\273\305(\16\357\10vr\272\366\330\3105\310\211\250\242\373\311\221\336\201\236e\261[\202\314\264\365^/\233\217\34\4&['\32?b\260l\377\344\251\224Z\264 &\10\333\220\31Tm(\0\4O\217\263v,\340\205\3008\300\376M\262\324\336\366\353o\326P\331\311z\364w>b\316\366\250\2\237\360\270f\20\370\246=8 \353\266\327\306\357G\24\327ok\226~V\301\360\270\360\333\1\376Q{\27\275\272\210\340\233\323\276,xB\255\3513\376C5\213 \314~Ss\246\367\270\302\224\2472\231E3w\34\6M G\22\25\277\324\373e\303H\367a\5\334.\356Sn\272T\334:7\25\333W\363\24+\227-\15<\37\375\177\10", ) , ) == 0x0
 01054   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01055   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01056   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01057   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01058   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01059   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01060   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01061   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01062   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01063   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "va\3161\25m\314\276\370cX\231Rz\274\344.\302k\224mh\2\224\16\340\32\254p\30\345-\211\366\6h{\342FZ\364+\313@\250N\12lK\360lj\336{\322}\1\354\266\376\241B\2044t)\322\37G\354BK\346R\353'I\273\264\341", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "va\3161\25m\314\276\370cX\231Rz\274\344.\302k\224mh\2\224\16\340\32\254p\30\345-\211\366\6h{\342FZ\364+\313@\250N\12lK\360lj\336{\322}\1\354\266\376\241B\2044t)\322\37G\354BK\346R\353'I\273\264\341", 80, ... ) , 80, ... ) == 0x0
 01064   484   NtClose  (-2147482020, ... ) == 0x0
 01054   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "h\246/v\210\332\243\363\337.\31\205\222}\264\275\261\275V\254\260\261\\273\273\26[I\210W\102\307a\214\337.7(f\14\2669\321\247\303j\226/\264`\367\36\12\24\17J\350.\2521\10\260\12*\251\227\352\247\30\303m\22\271M\257\311T\227\264I\242\271\360G+>\363\220/Z5\271\256\201\3718\303\222:\337\366\25\342\240]\241\372,\16.&\300K`\340\201T\374\20\217\32(\307\234\261\20Hi<\337\14;B\201\377\254\355\201\336\211\362@\15:\370\17\326)9#\313\333Dn/\362\254\321"\351p\35\24U\326\327J?\200\262\303@h"\265\304;\267\373B\2418a/H`\25A\324\237\322\302\315q\207\275\254e\354\245\256\361gR\3178fm\305\355o\215S\6\25f\367\317\371^\221d]\346n\20\364\346\224\273\222VC\254\311\304\5\230}V\331\204\243\370\237\334\223\20s\256k\350N\255", ) \351p\35\24U\326\327J?\200\262\303@h ... {status=0x0, info=256}, "h\246/v\210\332\243\363\337.\31\205\222}\264\275\261\275V\254\260\261\\273\273\26[I\210W\102\307a\214\337.7(f\14\2669\321\247\303j\226/\264`\367\36\12\24\17J\350.\2521\10\260\12*\251\227\352\247\30\303m\22\271M\257\311T\227\264I\242\271\360G+>\363\220/Z5\271\256\201\3718\303\222:\337\366\25\342\240]\241\372,\16.&\300K`\340\201T\374\20\217\32(\307\234\261\20Hi<\337\14;B\201\377\254\355\201\336\211\362@\15:\370\17\326)9#\313\333Dn/\362\254\321"\351p\35\24U\326\327J?\200\262\303@h"\265\304;\267\373B\2418a/H`\25A\324\237\322\302\315q\207\275\254e\354\245\256\361gR\3178fm\305\355o\215S\6\25f\367\317\371^\221d]\346n\20\364\346\224\273\222VC\254\311\304\5\230}V\331\204\243\370\237\334\223\20s\256k\350N\255", ) , ) == 0x0
 01065   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01066   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01067   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01068   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01069   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01070   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01071   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01072   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01073   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01074   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "y\354\247\13I\377l\267\14\31~H\363%\216b:f\3334\313\13-$(\261O$)\254~\361\310y\351\362\14yxL\343m="\316\25tV\336J\341\377B-\304\262\276GLh$V!F\271Q\\243\374\300\234\242\304+\363\0\224y\275\373", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "y\354\247\13I\377l\267\14\31~H\363%\216b:f\3334\313\13-$(\261O$)\254~\361\310y\351\362\14yxL\343m="\316\25tV\336J\341\377B-\304\262\276GLh$V!F\271Q\\243\374\300\234\242\304+\363\0\224y\275\373", 80, ... ) \316\25tV\336J\341\377B-\304\262\276GLh$V!F\271Q\\243\374\300\234\242\304+\363\0\224y\275\373", 80, ... ) == 0x0
 01075   484   NtClose  (-2147482020, ... ) == 0x0
 01065   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "$\320\212'(j\335\355f\276\271\236\274\230/\320\360\241\365\16i\207\12cU\355\362\343\351\36\14\272\336\251\354\242\375\354\317\34Vm\35\377\250\307\334\224\2\244\373\325\324\3\10`q\244\0J\250KbEh\304x\4\22\257A\363\265>\271\11\33\225:{\244\1,&\313\352-\26\33)%k\313\374l\3\232\24\256W\261\320\310\227\14\373\230y@\233\276\277\32261#ix\251\261=\374F\272W\342G\276\34\2412\275\344s)\302\17\302M\30B\362\237u\372\222\6\13Y\237^\345\357\33\314\345g\217\303Q\7\317\305\351\20\344i\372q[\2\353#|}C\355>\6\271\241f\225\205\214\320\11\275\305X\337=\277\213\362\220|I\3376\273<\330\346)\337OF\27B\214\344\21\330\201c:\12\205\212$2L/#\3\267?l@^)'\1bR\360\222\37\0q,\322`\254*\21\5\31hx%z\367\21\3", ) , ) == 0x0
 01076   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01077   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01078   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01079   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01080   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01081   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01082   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01083   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01084   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01085   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "C\17G\227\347\277\5\304y\252N\221\32\376\344\214\331\10\353Q\30\227_\3239]\364\223-\34\210\223\1\1&\203X,\224\202\265\203\10\31\306\245\357\222q\2657D8\14\7\364\244\371\2427z*\215\317\340\32\30V\256\22\262xFKG\30\3:\2\16", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "C\17G\227\347\277\5\304y\252N\221\32\376\344\214\331\10\353Q\30\227_\3239]\364\223-\34\210\223\1\1&\203X,\224\202\265\203\10\31\306\245\357\222q\2657D8\14\7\364\244\371\2427z*\215\317\340\32\30V\256\22\262xFKG\30\3:\2\16", 80, ... ) , 80, ... ) == 0x0
 01086   484   NtClose  (-2147482020, ... ) == 0x0
 01076   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\270=9JOdr\303,5?\246&\326\251\325\323\353\242\230p\310\364\215\373\227@\346\352\31\270R\336"\241\35\1\3428\220&6R\262\372\260\214qV~5Q\224\27\321+\214\306%Z\25\345\220\221Cm\260\237]\240\177\204\3347\225\307q=?.x7H=\211M?D\301\276\310\277v\324\231\320\202\17\227\23:\277wM\371\377\234\24\347c\24\2557\313\21%\4\361{T\36\314\32\365pn)\350\326Kp\345\327\317\346M\352\376\200\267\231\225G\177\271"\373\330\366i\347\5\342b\204\cElzd\332\300\3758\210\217\330\203\252\305\264%\22q\324\306\232\206\364C\253\310:d\346\314\236i|v\325\6\225\212v\252\353\205S\372\351K\260\331g \306U\35\303C\375\5a\200\274i\231-TU\202\371\241fKsT\302ej8<\264\231D\303\13S==\236\224%\345\355\250[\337>\330\323\217\247_", ) \241\35\1\3428\220&6R\262\372\260\214qV~5Q\224\27\321+\214\306%Z\25\345\220\221Cm\260\237]\240\177\204\3347\225\307q=?.x7H=\211M?D\301\276\310\277v\324\231\320\202\17\227\23:\277wM\371\377\234\24\347c\24\2557\313\21%\4\361{T\36\314\32\365pn)\350\326Kp\345\327\317\346M\352\376\200\267\231\225G\177\271 ... {status=0x0, info=256}, "\270=9JOdr\303,5?\246&\326\251\325\323\353\242\230p\310\364\215\373\227@\346\352\31\270R\336"\241\35\1\3428\220&6R\262\372\260\214qV~5Q\224\27\321+\214\306%Z\25\345\220\221Cm\260\237]\240\177\204\3347\225\307q=?.x7H=\211M?D\301\276\310\277v\324\231\320\202\17\227\23:\277wM\371\377\234\24\347c\24\2557\313\21%\4\361{T\36\314\32\365pn)\350\326Kp\345\327\317\346M\352\376\200\267\231\225G\177\271"\373\330\366i\347\5\342b\204\cElzd\332\300\3758\210\217\330\203\252\305\264%\22q\324\306\232\206\364C\253\310:d\346\314\236i|v\325\6\225\212v\252\353\205S\372\351K\260\331g \306U\35\303C\375\5a\200\274i\231-TU\202\371\241fKsT\302ej8<\264\231D\303\13S==\236\224%\345\355\250[\337>\330\323\217\247_", ) , ) == 0x0
 01087   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01088   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01089   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01090   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01091   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01092   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01093   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01094   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01095   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01096   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "\326M!\15\203\355d\23$\355\246.c\36\242ldw\207d.\233\302\325\26+\37\343Zx\2437\5mx\342\257VE\272\221\333?\35\334\321\211\3+\231\340\357\377S\351I\362\362\24\341-#\304!\253\335\227=\215\275<\24XG\6&\367l\360", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "\326M!\15\203\355d\23$\355\246.c\36\242ldw\207d.\233\302\325\26+\37\343Zx\2437\5mx\342\257VE\272\221\333?\35\334\321\211\3+\231\340\357\377S\351I\362\362\24\341-#\304!\253\335\227=\215\275<\24XG\6&\367l\360", 80, ... ) , 80, ... ) == 0x0
 01097   484   NtClose  (-2147482020, ... ) == 0x0
 01087   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ";\347\330%!\225\15T\231\14\365\235bu\345\27\2k\364ff\321G\316=\371TGs\207\206\31522\22D#A\23\6\364j\326\21\35\227\35\320\332X\377\301\214\347\370\311\271O\25p\326\265Ym)\227z\201v[a\331\271e\5\300\325:t=F#e\365\222\216\26e\237$A\337\204ON\304y}\204\264\37\213\226\23s\347ECw\36 :\266\325h0\307"\252\245\347wV| Y9S\3\313\177\315-?\363\244dx\26~\322\352o\36\371\306\337\364\32\353\40\ao\251+\317$\31?\21\12\371%\234\236|\255\37\335\204<\210\353\27\272\336\371l\2649\333\246&:\277\225K\240\2071\321\261\324;98"\26\244 \334\202lz\267\346_k\324\20\310\246G!\316\242\351\360nc\15N)\346\314$\246\232'gG\255\277G\26S\357QUy@h\252j\24\25T\6h\330\31\24", ) \252\245\347wV| Y9S\3\313\177\315-?\363\244dx\26~\322\352o\36\371\306\337\364\32\353\40\ao\251+\317$\31?\21\12\371%\234\236|\255\37\335\204<\210\353\27\272\336\371l\2649\333\246&:\277\225K\240\2071\321\261\324;98 ... {status=0x0, info=256}, ";\347\330%!\225\15T\231\14\365\235bu\345\27\2k\364ff\321G\316=\371TGs\207\206\31522\22D#A\23\6\364j\326\21\35\227\35\320\332X\377\301\214\347\370\311\271O\25p\326\265Ym)\227z\201v[a\331\271e\5\300\325:t=F#e\365\222\216\26e\237$A\337\204ON\304y}\204\264\37\213\226\23s\347ECw\36 :\266\325h0\307"\252\245\347wV| Y9S\3\313\177\315-?\363\244dx\26~\322\352o\36\371\306\337\364\32\353\40\ao\251+\317$\31?\21\12\371%\234\236|\255\37\335\204<\210\353\27\272\336\371l\2649\333\246&:\277\225K\240\2071\321\261\324;98"\26\244 \334\202lz\267\346_k\324\20\310\246G!\316\242\351\360nc\15N)\346\314$\246\232'gG\255\277G\26S\357QUy@h\252j\24\25T\6h\330\31\24", ) , ) == 0x0
 01098   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01099   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01100   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01101   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01102   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01103   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01104   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01105   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01106   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01107   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "3\370Yt\264S\263\217\245\321d\231=\31\361|\225U\347\303\274\307\202x\270\377\312\252\32.D\312\204x\13e\250^\216\330?\230az\362", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "3\370Yt\264S\263\217\245\321d\231=\31\361|\225U\347\303\274\307\202x\270\377\312\252\32.D\312\204x\13e\250^\216\330?\230az\362", 80, ... ) \330?\230az\362", 80, ... ) == 0x0
 01108   484   NtClose  (-2147482020, ... ) == 0x0
 01098   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\230\220Iu\336\330\332L\205k5\205\27\262\5PSvK\255;\26c,\367J\15\276\353\354X\223Y\377\377#\202\303\37\0"6M\304\16\353@\245\362v/\3\1]\264\240\351)B\317\177\327\207\16g7\320^z\3\312\241\241\232\263\265\324\207\347\350\10\304\356\306\330w\203i8\211\35\12Wc\301\220h\201\253\226\322:d\307\315\227\316E\337]\240\260\264\374\305\221\273\27ft\34D\227\371\323j\33\323\13\364x!v\271\201\261\365J^b\367\324\350\341\321\313Q\35\31I\27\352\335\242\365u\302\211\36\305\353\7\377\324\245f\345l\37\331\32\236\374%\13G\15+^\374\3266\221\316\2619s\327NE\4\215\364\222\1g\235T\222|\302[\37\236\363~\377\210\221\271\25\221\20__9@\346h\234\361\5\301\337\32cA\205F>:\220\20\17\217\213a\235f\350\2}\230?\262(\317\201_G(4\306B\347", ) 6M\304\16\353@\245\362v/\3\1]\264\240\351)B\317\177\327\207\16g7\320^z\3\312\241\241\232\263\265\324\207\347\350\10\304\356\306\330w\203i8\211\35\12Wc\301\220h\201\253\226\322:d\307\315\227\316E\337]\240\260\264\374\305\221\273\27ft\34D\227\371\323j\33\323\13\364x!v\271\201\261\365J^b\367\324\350\341\321\313Q\35\31I\27\352\335\242\365u\302\211\36\305\353\7\377\324\245f\345l\37\331\32\236\374%\13G\15+^\374\3266\221\316\2619s\327NE\4\215\364\222\1g\235T\222|\302[\37\236\363~\377\210\221\271\25\221\20__9@\346h\234\361\5\301\337\32cA\205F>:\220\20\17\217\213a\235f\350\2}\230?\262(\317\201_G(4\306B\347", ) == 0x0
 01109   484   NtDeviceIoControlFile  (108, 0, 0x0, 0x0, 0x390008,  (108, 0, 0x0, 0x0, 0x390008, "\243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... \243\304Q\212;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\374\246;\342\334\344k\350\215\246f\252\344\1\203\361\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ...
 01110   484   NtQuerySystemInformation  (TimeOfDay, 48, ... {system info, class 3, size 48}, 48, ) == 0x0
 01111   484   NtQuerySystemInformation  (ProcessorTimes, 48, ... {system info, class 8, size 48}, 48, ) == 0x0
 01112   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01113   484   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01114   484   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01115   484   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01116   484   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01117   484   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482020, 2, ) }, 0, 0x0, 0, ... -2147482020, 2, ) == 0x0
 01118   484   NtSetValueKey  (-2147482020,  (-2147482020, "Seed", 0, 3, "X\215C\227\222bY\353\272\363DU\14\321\314\237\354&_\347\242\25\302[\242p\270\274\247\216\336~\254\346\331 \2369\257\320\251I\303<\3202\371\3354LiI\242\311\355\225\26n\323[q\372\372*\367\32\301\34d*t6\15\300\2422]\265V", 80, ... ) , 0, 3,  (-2147482020, "Seed", 0, 3, "X\215C\227\222bY\353\272\363DU\14\321\314\237\354&_\347\242\25\302[\242p\270\274\247\216\336~\254\346\331 \2369\257\320\251I\303<\3202\371\3354LiI\242\311\355\225\26n\323[q\372\372*\367\32\301\34d*t6\15\300\2422]\265V", 80, ... ) , 80, ... ) == 0x0
 01119   484   NtClose  (-2147482020, ... ) == 0x0
 01109   484   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "h\314\315\272\372\226*'\267\343\24?\271\246\35ZHwO3l\206\337\253\375lL\264\304\4>\340\235o\247\212W\14PN\245\222\3\237%m\254\363$\223\355\275\338\247\32\214\355\210K\230M\177?\226\21\375\5\177\345FD\203\24\370DP%\331\244b_\25E&\337\214ugl\341\377|\335\311f\261\35\332\236Y\301W\336\35\235@\25\264\217\223\344i\266\326\272\207ki\342I\374\314\331-\273\264\363\355\223A\234"u\333\251\333\331\355\361\210Y\344\262)Fj\371\\30\221\273h/\227}'G\360\333\316\302\36\221u\327\232}\23.\33\30*", ) u\333\251\333\331\355\361\210Y\344\262)Fj\371\\30\221\273h/\227}'G\360\333\316\302\36\221u\327\232}\23.\33\30*", ) == 0x0
 01120   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 116, ) }, ... 116, ) == 0x0
 01121   484   NtQueryValueKey  (116,  (116, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01122   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 120, ) }, ... 120, ) == 0x0
 01123   484   NtQueryValueKey  (120,  (120, "MaximizeApps", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01124   484   NtClose  (120, ... ) == 0x0
 01125   484   NtClose  (116, ... ) == 0x0
 01126   484   NtAllocateVirtualMemory  (-1, 1445888, 0, 24576, 4096, 4, ... 1445888, 24576, ) == 0x0
 01127   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netapi32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01128   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netapi32.dll"}, 1235288, ... ) }, 1235288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01129   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "netapi32.dll"}, 1235288, ... ) }, 1235288, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01130   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 1235288, ... ) }, 1235288, ... ) == 0x0
 01131   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netapi32.dll"}, 5, 96, ... 116, {status=0x0, info=1}, ) }, 5, 96, ... 116, {status=0x0, info=1}, ) == 0x0
 01132   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 116, ... 120, ) == 0x0
 01133   484   NtQuerySection  (120, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01134   484   NtClose  (116, ... ) == 0x0
 01135   484   NtMapViewOfSection  (120, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01136   484   NtClose  (120, ... ) == 0x0
 01137   484   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01138   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01139   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 120, ) }, ... 120, ) == 0x0
 01140   484   NtQueryValueKey  (120,  (120, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01141   484   NtClose  (120, ... ) == 0x0
 01142   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01143   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 120, ) == 0x0
 01144   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 116, ) == 0x0
 01145   484   NtQuerySystemTime  (... {2076007040, 29873135}, ) == 0x0
 01146   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 124, ) == 0x0
 01147   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   484   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01149   484   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01150   484   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01151   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 128, ) == 0x0
 01152   484   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 132, ) == 0x0
 01153   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 136, ) }, ... 136, ) == 0x0
 01154   484   NtOpenKey  (0x20019, {24, 136, 0x40, 0, 0,  (0x20019, {24, 136, 0x40, 0, 0, "ActiveComputerName"}, ... 140, ) }, ... 140, ) == 0x0
 01155   484   NtQueryValueKey  (140,  (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (140, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01156   484   NtClose  (140, ... ) == 0x0
 01157   484   NtClose  (136, ... ) == 0x0
 01158   484   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 136, ) == 0x0
 01159   484   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 140, ) == 0x0
 01160   484   NtDuplicateObject  (-1, 136, -1, 0x0, 0, 2, ... 144, ) == 0x0
 01161   484   NtAllocateVirtualMemory  (-1, 1470464, 0, 4096, 4096, 4, ... 1470464, 4096, ) == 0x0
 01162   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01163   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01164   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01165   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01166   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1235656,  (0xc0100080, {24, 0, 0x40, 0, 1235656, "\??\PIPE\wkssvc"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 152, {status=0x0, info=1}, ) == 0x0
 01167   484   NtSetInformationFile  (152, 1235712, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01168   484   NtSetInformationFile  (152, 1235704, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01169   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01170   484   NtWriteFile  (152, 129, 0, 0,  (152, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\230\320\377k\22\241\206\2303F\303\370~4Z\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01171   484   NtAllocateVirtualMemory  (-1, 1474560, 0, 4096, 4096, 4, ... 1474560, 4096, ) == 0x0
 01172   484   NtReadFile  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (152, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01173   484   NtFsControlFile  (152, 129, 0x0, 0x0, 0x11c017,  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 32, 1024, ... {status=0x103, info=68},  (152, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0", 32, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\265"\0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\wkssvc\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01174   484   NtClose  (148, ... ) == 0x0
 01175   484   NtClose  (152, ... ) == 0x0
 01176   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1235700, ... ) }, 1235700, ... ) == 0x0
 01177   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01178   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01179   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1235520, ... ) }, 1235520, ... ) == 0x0
 01180   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01181   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01182   484   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1475712, 0,  (0x1f0003, {24, 52, 0x80, 1475712, 0, "shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}"}, 0, 2147483647, ... 152, ) }, 0, 2147483647, ... 152, ) == STATUS_OBJECT_NAME_EXISTS
 01183   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01184   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01185   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01187   484   NtQueryValueKey  (148,  (148, "NoNetHood", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   484   NtClose  (148, ... ) == 0x0
 01189   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01190   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01191   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01193   484   NtQueryValueKey  (148,  (148, "NoPropertiesMyComputer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   484   NtClose  (148, ... ) == 0x0
 01195   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01196   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01197   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01198   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01199   484   NtQueryValueKey  (148,  (148, "NoInternetIcon", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   484   NtClose  (148, ... ) == 0x0
 01201   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01202   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01203   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01205   484   NtQueryValueKey  (148,  (148, "NoCommonGroups", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   484   NtClose  (148, ... ) == 0x0
 01207   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01209   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01210   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01212   484   NtQueryValueKey  (148,  (148, "NoControlPanel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   484   NtClose  (148, ... ) == 0x0
 01214   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01215   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01216   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 148, ) }, ... 148, ) == 0x0
 01218   484   NtQueryValueKey  (148,  (148, "NoSetFolders", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   484   NtClose  (148, ... ) == 0x0
 01220   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01221   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 148, ) == 0x0
 01222   484   NtQueryInformationToken  (148, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01223   484   NtClose  (148, ... ) == 0x0
 01224   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 148, ) }, ... 148, ) == 0x0
 01225   484   NtSetInformationObject  (150, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 01226   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01227   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... 156, ) }, ... 156, ) == 0x0
 01229   484   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 01230   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01231   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01232   484   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01233   484   NtClose  (160, ... ) == 0x0
 01234   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   484   NtQueryValueKey  (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data= (158, 0x0, Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0S\0H\0E\0L\0L\03\02\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01236   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\SHELL32.dll"}, 1233428, ... ) }, 1233428, ... ) == 0x0
 01237   484   NtClose  (158, ... ) == 0x0
 01238   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01239   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions"}, ... 156, ) }, ... 156, ) == 0x0
 01241   484   NtAllocateVirtualMemory  (-1, 1478656, 0, 4096, 4096, 4, ... 1478656, 4096, ) == 0x0
 01242   484   NtQueryKey  (158, Name, 392, ... {Name= (158, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensionsl"}, 134, ) }, 134, ) == 0x0
 01243   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01244   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 160, ) == 0x0
 01245   484   NtQueryInformationToken  (160, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01246   484   NtClose  (160, ... ) == 0x0
 01247   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   484   NtEnumerateKey  (158, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name= (158, 0, Node, 288, ... {LastWrite={0x5abc7c30,0x1c73999}, TitleIdx=0, Name="{fbeb8a05-beee-4442-804e-409d6c4515e9}", Class=""}, 100, ) , Class=""}, 100, ) == 0x0
 01249   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01250   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... 160, ) }, ... 160, ) == 0x0
 01252   484   NtQueryKey  (162, Name, 392, ... {Name= (162, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, 212, ) }, 212, ) == 0x0
 01253   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01254   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 164, ) == 0x0
 01255   484   NtQueryInformationToken  (164, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01256   484   NtClose  (164, ... ) == 0x0
 01257   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   484   NtQueryValueKey  (162,  (162, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (162, "DriveMask", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01259   484   NtClose  (162, ... ) == 0x0
 01260   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01261   484   NtEnumerateKey  (158, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 01262   484   NtClose  (158, ... ) == 0x0
 01263   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01264   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer"}, ... 156, ) }, ... 156, ) == 0x0
 01265   484   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, "FileExts"}, ... 160, ) }, ... 160, ) == 0x0
 01266   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01268   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01269   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01270   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01271   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 164, ) }, ... 164, ) == 0x0
 01272   484   NtQueryKey  (166, Name, 392, ... {Name= (166, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01273   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01274   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 168, ) == 0x0
 01275   484   NtQueryInformationToken  (168, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01276   484   NtClose  (168, ... ) == 0x0
 01277   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01278   484   NtQueryValueKey  (166, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (166, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 01279   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01280   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01281   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 168, ) }, ... 168, ) == 0x0
 01282   484   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01283   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01284   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01285   484   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01286   484   NtClose  (172, ... ) == 0x0
 01287   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01288   484   NtOpenKey  (0x1, {24, 170, 0x40, 0, 0,  (0x1, {24, 170, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01289   484   NtQueryKey  (170, Name, 384, ... {Name= (170, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01290   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01291   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 172, ) == 0x0
 01292   484   NtQueryInformationToken  (172, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01293   484   NtClose  (172, ... ) == 0x0
 01294   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01295   484   NtOpenKey  (0x2000000, {24, 170, 0x40, 0, 0, ""}, ... 172, ) == 0x0
 01296   484   NtClose  (170, ... ) == 0x0
 01297   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01298   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01299   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01300   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01301   484   NtQueryValueKey  (168,  (168, "DontShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01302   484   NtClose  (168, ... ) == 0x0
 01303   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01304   484   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0, ""}, ... 168, ) == 0x0
 01305   484   NtQueryValueKey  (168,  (168, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01306   484   NtQueryValueKey  (168,  (168, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (168, "ShellState", Partial, 144, ... TitleIdx=0, Type=3, Data="$\0\0\00(\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\15\0\0\0\0\0\0\0\2\0\0\0"}, 48, ) }, 48, ) == 0x0
 01307   484   NtClose  (168, ... ) == 0x0
 01308   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01309   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01310   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01311   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01312   484   NtQueryValueKey  (168,  (168, "ForceActiveDesktopOn", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01313   484   NtClose  (168, ... ) == 0x0
 01314   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01315   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01316   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01317   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01318   484   NtQueryValueKey  (168,  (168, "NoActiveDesktop", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01319   484   NtClose  (168, ... ) == 0x0
 01320   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01321   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01322   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01323   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01324   484   NtQueryValueKey  (168,  (168, "NoWebView", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01325   484   NtClose  (168, ... ) == 0x0
 01326   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01327   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01328   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01329   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01330   484   NtQueryValueKey  (168,  (168, "ClassicShell", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01331   484   NtClose  (168, ... ) == 0x0
 01332   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01333   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01334   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01335   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01336   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01337   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01338   484   NtQueryValueKey  (168,  (168, "SeparateProcess", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01339   484   NtClose  (168, ... ) == 0x0
 01340   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01341   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01342   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01344   484   NtQueryValueKey  (168,  (168, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01345   484   NtClose  (168, ... ) == 0x0
 01346   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01347   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01348   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01349   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 168, ) }, ... 168, ) == 0x0
 01350   484   NtQueryValueKey  (168,  (168, "NoSimpleStartMenu", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   484   NtClose  (168, ... ) == 0x0
 01352   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01353   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01354   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01355   484   NtOpenKey  (0x2000000, {24, 156, 0x40, 0, 0,  (0x2000000, {24, 156, 0x40, 0, 0, "Advanced"}, ... 168, ) }, ... 168, ) == 0x0
 01356   484   NtQueryValueKey  (168,  (168, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Hidden", Partial, 144, ... TitleIdx=0, Type=4, Data="\2\0\0\0"}, 16, ) }, 16, ) == 0x0
 01357   484   NtQueryValueKey  (168,  (168, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "ShowCompColor", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01358   484   NtQueryValueKey  (168,  (168, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "HideFileExt", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01359   484   NtQueryValueKey  (168,  (168, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "DontPrettyPath", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01360   484   NtQueryValueKey  (168,  (168, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "ShowInfoTip", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01361   484   NtQueryValueKey  (168,  (168, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "HideIcons", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01362   484   NtQueryValueKey  (168,  (168, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "MapNetDrvBtn", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01363   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01364   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01365   484   NtQueryValueKey  (168,  (168, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "WebView", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01366   484   NtQueryValueKey  (168,  (168, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Filter", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01367   484   NtQueryValueKey  (168,  (168, "ShowSuperHidden", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01368   484   NtQueryValueKey  (168,  (168, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "SeparateProcess", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01369   484   NtQueryValueKey  (168,  (168, "NoNetCrawling", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01370   484   NtClose  (168, ... ) == 0x0
 01371   484   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1475712, 0,  (0x1f0003, {24, 52, 0x80, 1475712, 0, "shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}"}, 0, 2147483647, ... 168, ) }, 0, 2147483647, ... 168, ) == STATUS_OBJECT_NAME_EXISTS
 01372   484   NtReleaseSemaphore  (168, 1, ... 0, ) == 0x0
 01373   484   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x0
 01374   484   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01375   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01376   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01377   484   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01378   484   NtClose  (176, ... ) == 0x0
 01379   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   484   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01382   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 01385   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01386   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 176, ) }, ... 176, ) == 0x0
 01387   484   NtQueryKey  (178, Name, 392, ... {Name= (178, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 01388   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01389   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01390   484   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01391   484   NtClose  (180, ... ) == 0x0
 01392   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   484   NtQueryValueKey  (178,  (178, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01394   484   NtClose  (178, ... ) == 0x0
 01395   484   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01396   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01397   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01398   484   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01399   484   NtClose  (176, ... ) == 0x0
 01400   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   484   NtQueryValueKey  (174,  (174, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   484   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01403   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01404   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01405   484   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01406   484   NtClose  (176, ... ) == 0x0
 01407   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01408   484   NtQueryValueKey  (174,  (174, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01409   484   NtQueryKey  (174, Name, 384, ... {Name= (174, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01410   484   NtAllocateVirtualMemory  (-1, 1482752, 0, 4096, 4096, 4, ... 1482752, 4096, ) == 0x0
 01411   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01412   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 176, ) == 0x0
 01413   484   NtQueryInformationToken  (176, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01414   484   NtClose  (176, ... ) == 0x0
 01415   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01416   484   NtOpenKey  (0x1, {24, 174, 0x40, 0, 0,  (0x1, {24, 174, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01417   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01418   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01419   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 176, ) }, ... 176, ) == 0x0
 01420   484   NtQueryKey  (178, Name, 384, ... {Name= (178, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 01421   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01422   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01423   484   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01424   484   NtClose  (180, ... ) == 0x0
 01425   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01426   484   NtOpenKey  (0x1, {24, 178, 0x40, 0, 0,  (0x1, {24, 178, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01427   484   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01428   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01429   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01430   484   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01431   484   NtClose  (180, ... ) == 0x0
 01432   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   484   NtQueryValueKey  (174,  (174, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01434   484   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01435   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01436   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01437   484   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01438   484   NtClose  (180, ... ) == 0x0
 01439   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01440   484   NtQueryValueKey  (174,  (174, "AlwaysShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   484   NtQueryKey  (174, Name, 392, ... {Name= (174, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 01442   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01443   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 180, ) == 0x0
 01444   484   NtQueryInformationToken  (180, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01445   484   NtClose  (180, ... ) == 0x0
 01446   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01447   484   NtQueryValueKey  (174,  (174, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01448   484   NtClose  (166, ... ) == 0x0
 01449   484   NtClose  (174, ... ) == 0x0
 01450   484   NtClose  (178, ... ) == 0x0
 01451   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01452   484   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1475712, 0,  (0x1f0003, {24, 52, 0x80, 1475712, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 176, ) }, 0, 2147483647, ... 176, ) == STATUS_OBJECT_NAME_EXISTS
 01453   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 01454   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 01455   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 01456   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 01457   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01458   484   NtQueryValueKey  (172,  (172, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01459   484   NtClose  (172, ... ) == 0x0
 01460   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents"}, 1235664, ... ) }, 1235664, ... ) == 0x0
 01461   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 172, 2, ) }, 0, 0x0, 0, ... 172, 2, ) == 0x0
 01462   484   NtSetValueKey  (172,  (172, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 0, 1,  (172, "Personal", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 96, ... ) , 96, ... ) == 0x0
 01463   484   NtClose  (172, ... ) == 0x0
 01464   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234076, ... ) }, 1234076, ... ) == 0x0
 01465   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01466   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 172, ... 164, ) == 0x0
 01467   484   NtClose  (172, ... ) == 0x0
 01468   484   NtMapViewOfSection  (164, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa80000), 0x0, 262144, ) == 0x0
 01469   484   NtClose  (164, ... ) == 0x0
 01470   484   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 01471   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01472   484   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_fCanRegisterWithShellService"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   484   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01474   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1233640, ... ) }, 1233640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01475   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "SETUPAPI.dll"}, 1233640, ... ) }, 1233640, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01476   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1233640, ... ) }, 1233640, ... ) == 0x0
 01477   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 164, {status=0x0, info=1}, ) }, 5, 96, ... 164, {status=0x0, info=1}, ) == 0x0
 01478   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 164, ... 172, ) == 0x0
 01479   484   NtQuerySection  (172, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01480   484   NtClose  (164, ... ) == 0x0
 01481   484   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01482   484   NtClose  (172, ... ) == 0x0
 01483   484   NtAllocateVirtualMemory  (-1, 9256960, 0, 4096, 4096, 4, ... 9256960, 4096, ) == 0x0
 01484   484   NtQueryDefaultLocale  (1, 1233472, ... ) == 0x0
 01485   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01486   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01487   484   NtQueryValueKey  (172,  (172, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01488   484   NtClose  (172, ... ) == 0x0
 01489   484   NtUserGetProcessWindowStation  (... ) == 0x28
 01490   484   NtUserGetObjectInformation  (40, 1, 1233144, 12, 1233156, ... ) == 0x1
 01491   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 172, ) }, ... 172, ) == 0x0
 01492   484   NtQueryValueKey  (172,  (172, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01493   484   NtClose  (172, ... ) == 0x0
 01494   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01495   484   NtQueryValueKey  (172,  (172, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01496   484   NtQueryValueKey  (172,  (172, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01497   484   NtClose  (172, ... ) == 0x0
 01498   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01499   484   NtQueryValueKey  (172,  (172, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01500   484   NtQueryValueKey  (172,  (172, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01501   484   NtClose  (172, ... ) == 0x0
 01502   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01503   484   NtQueryValueKey  (172,  (172, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01504   484   NtQueryValueKey  (172,  (172, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01505   484   NtClose  (172, ... ) == 0x0
 01506   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01507   484   NtQueryValueKey  (172,  (172, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01508   484   NtQueryValueKey  (172,  (172, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01509   484   NtClose  (172, ... ) == 0x0
 01510   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 172, ) }, ... 172, ) == 0x0
 01511   484   NtQueryValueKey  (172,  (172, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01512   484   NtQueryValueKey  (172,  (172, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01513   484   NtClose  (172, ... ) == 0x0
 01514   484   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 172, ) }, ... 172, ) == 0x0
 01515   484   NtQueryValueKey  (172,  (172, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (172, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01516   484   NtClose  (172, ... ) == 0x0
 01517   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01518   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 164, ) == 0x0
 01519   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01520   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 184, ) == 0x0
 01521   484   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 188, ) == 0x0
 01522   484   NtCreateMutant  (0x1f0001, 0x0, 0, ... 192, ) == 0x0
 01523   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 196, ) }, ... 196, ) == 0x0
 01524   484   NtQueryValueKey  (196,  (196, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01525   484   NtQueryValueKey  (196,  (196, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01526   484   NtOpenKey  (0x1, {24, 196, 0x40, 0, 0,  (0x1, {24, 196, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01527   484   NtClose  (196, ... ) == 0x0
 01528   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1233064, ... ) }, 1233064, ... ) == 0x0
 01529   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 196, ) }, ... 196, ) == 0x0
 01530   484   NtQueryValueKey  (196,  (196, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (196, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (196, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01531   484   NtClose  (196, ... ) == 0x0
 01532   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 196, ) }, ... 196, ) == 0x0
 01533   484   NtQueryValueKey  (196,  (196, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (196, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (196, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01534   484   NtClose  (196, ... ) == 0x0
 01535   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01536   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 196, ) }, ... 196, ) == 0x0
 01537   484   NtQueryValueKey  (196,  (196, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (196, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (196, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01538   484   NtClose  (196, ... ) == 0x0
 01539   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01540   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01541   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01542   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01543   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233844,  (0xc0100080, {24, 0, 0x40, 0, 1233844, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01544   484   NtSetInformationFile  (200, 1233900, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01545   484   NtSetInformationFile  (200, 1233892, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01546   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01547   484   NtWriteFile  (200, 129, 0, 0,  (200, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01548   484   NtReadFile  (200, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (200, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01549   484   NtFsControlFile  (200, 129, 0x0, 0x0, 0x11c017,  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\306\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01550   484   NtFsControlFile  (200, 129, 0x0, 0x0, 0x11c017,  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 106, 1024, ... {status=0x103, info=48},  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0j\0\0\0\2\0\0\0R\0\0\0\0\0\37\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305*\0,\0\14\344gv\26\0\0\0\0\0\0\0\25\0\0\0S\0e\0L\0o\0a\0d\0D\0r\0i\0v\0e\0r\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 106, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01551   484   NtFsControlFile  (200, 129, 0x0, 0x0, 0x11c017,  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\310V\352\264\342?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\12\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01552   484   NtClose  (196, ... ) == 0x0
 01553   484   NtClose  (200, ... ) == 0x0
 01554   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01555   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 200, ) == 0x0
 01556   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01557   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01558   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1233844,  (0xc0100080, {24, 0, 0x40, 0, 1233844, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 196, {status=0x0, info=1}, ) == 0x0
 01559   484   NtSetInformationFile  (196, 1233900, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01560   484   NtSetInformationFile  (196, 1233892, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01561   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01562   484   NtWriteFile  (196, 129, 0, 0,  (196, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01563   484   NtReadFile  (196, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (196, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01564   484   NtFsControlFile  (196, 129, 0x0, 0x0, 0x11c017,  (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\332\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\307\37\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01565   484   NtFsControlFile  (196, 129, 0x0, 0x0, 0x11c017,  (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0 (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0b\0\0\0\2\0\0\0J\0\0\0\0\0\37\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305"\0$\0l\343gv\22\0\0\0\0\0\0\0\21\0\0\0S\0e\0U\0n\0d\0o\0c\0k\0P\0r\0i\0v\0i\0l\0e\0g\0e\0", 98, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) \5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) == 0x103
 01566   484   NtFsControlFile  (196, 129, 0x0, 0x0, 0x11c017,  (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=36},  (196, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\311V\352\264\342?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=36}, "\5\0\2\3\20\0\0\0$\0\0\0\2\0\0\0\14\0\0\0\0\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01567   484   NtClose  (200, ... ) == 0x0
 01568   484   NtClose  (196, ... ) == 0x0
 01569   484   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01570   484   NtOpenProcessToken  (-1, 0x20, ... 196, ) == 0x0
 01571   484   NtAdjustPrivilegesToken  (196, 0, 1483792, 0, 0, 0, ... ) == 0x0
 01572   484   NtClose  (196, ... ) == 0x0
 01573   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01574   484   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 196, ) == 0x0
 01575   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01576   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01577   484   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1234084,  (0xc0100080, {24, 0, 0x40, 0, 1234084, "\??\PIPE\ntsvcs"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 200, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 200, {status=0x0, info=1}, ) == 0x0
 01578   484   NtSetInformationFile  (200, 1234140, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01579   484   NtSetInformationFile  (200, 1234132, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01580   484   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01581   484   NtWriteFile  (200, 129, 0, 0,  (200, 129, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0@N\237\215=\240\316\21\217i\10\0>0\5\33\1\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01582   484   NtReadFile  (200, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (200, 129, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01583   484   NtFsControlFile  (200, 129, 0x0, 0x0, 0x11c017,  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 48, 1024, ... {status=0x103, info=68},  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\27\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0\0\0\0\0", 48, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k!\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01584   484   NtOpenThreadToken  (-2, 0x20, 1, ... ) == STATUS_NO_TOKEN
 01585   484   NtOpenProcessToken  (-1, 0x20, ... 204, ) == 0x0
 01586   484   NtAdjustPrivilegesToken  (204, 0, 1483872, 0, 0, 0, ... ) == 0x0
 01587   484   NtClose  (204, ... ) == 0x0
 01588   484   NtFsControlFile  (200, 129, 0x0, 0x0, 0x11c017,  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , 52, 1024, ... {status=0x103, info=32},  (200, 129, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\04\0\0\0\2\0\0\0\34\0\0\0\0\0\26\0\15c\365S\277\266\320\21\224\362\0\240\311\36\373\213\0\0\0\0S\1\0\0\0\0\0\0", 52, 1024, ... {status=0x103, info=32}, "\5\0\2\3\20\0\0\0 \0\0\0\1\0\0\0\10\0\0\0\0\0\0\0S\1\0\0\0\0\0\0", ) , ) == 0x103
 01589   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 204, {status=0x0, info=1}, ) }, 3, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01590   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 208, ) }, ... 208, ) == 0x0
 01591   484   NtQuerySymbolicLinkObject  (208, ...  (208, ... "\Device\FloppyPDO0", 38, ) , 38, ) == 0x0
 01592   484   NtClose  (208, ... ) == 0x0
 01593   484   NtQueryVolumeInformationFile  (204, 1234544, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01594   484   NtClose  (204, ... ) == 0x0
 01595   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 204, {status=0x0, info=1}, ) }, 3, 16, ... 204, {status=0x0, info=1}, ) == 0x0
 01596   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32},  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=32}, "\36\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", ) , ) == 0x0
 01597   484   NtClose  (204, ... ) == 0x0
 01598   484   NtQueryInformationFile  (-1, 1234544, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01599   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234496,  (0x100080, {24, 0, 0x40, 0, 1234496, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01600   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 32, ... , 54, 32, ...
 01601   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01602   484   NtClose  (-2147482020, ... ) == 0x0
 01600   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01603   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\36\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0", 54, 374, ... , 54, 374, ...
 01604   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\Floppy0"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01605   484   NtClose  (-2147482020, ... ) == 0x0
 01603   484   NtDeviceIoControlFile  ... {status=0x0, info=374},  ... {status=0x0, info=374}, "v\1\0\0\2\0\0\0\372\0\0\0`\0\0\08\0\0\0\244\0\0\0\334\0\0\0\36\0v\0Z\1\0\0\34\0\\08\0\0\0\244\0p\0\334\0\0\0\36\0\0\0\\0?\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0F\0l\0o\0p\0p\0y\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0A\0:\0", ) , ) == 0x0
 01606   484   NtClose  (204, ... ) == 0x0
 01607   484   NtAllocateVirtualMemory  (-1, 1486848, 0, 4096, 4096, 4, ... 1486848, 4096, ) == 0x0
 01608   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01609   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01610   484   NtClose  (204, ... ) == 0x0
 01611   484   NtQueryValueKey  (208,  (208, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01612   484   NtQueryValueKey  (208,  (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0M\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0M\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0N\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0F\0D\0C\0#\0G\0E\0N\0E\0R\0I\0C\0_\0F\0L\0O\0P\0P\0Y\0_\0D\0R\0I\0V\0E\0#\06\0&\01\04\03\05\0b\02\0e\02\0&\00\0&\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0M\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0M\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0N\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01613   484   NtClose  (208, ... ) == 0x0
 01614   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01615   484   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01616   484   NtClose  (208, ... ) == 0x0
 01617   484   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01618   484   NtClose  (204, ... ) == 0x0
 01619   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 204, {status=0x0, info=0}, ) }, 3, 96, ... 204, {status=0x0, info=0}, ) == 0x0
 01620   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 208, ) }, ... 208, ) == 0x0
 01621   484   NtQuerySymbolicLinkObject  (208, ...  (208, ... "\Device\Ide\IdeDeviceP1T0L0-e", 60, ) , 60, ) == 0x0
 01622   484   NtClose  (208, ... ) == 0x0
 01623   484   NtQueryVolumeInformationFile  (204, 1234544, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01624   484   NtClose  (204, ... ) == 0x0
 01625   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\IDE#CdRomTEAC_CD-224E-N__________________________1.AA____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 204, {status=0x0, info=0}, ) }, 3, 16, ... 204, {status=0x0, info=0}, ) == 0x0
 01626   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30},  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=30}, "\34\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", ) , ) == 0x0
 01627   484   NtClose  (204, ... ) == 0x0
 01628   484   NtQueryInformationFile  (-1, 1234544, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01629   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234496,  (0x100080, {24, 0, 0x40, 0, 1234496, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01630   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 32, ... , 52, 32, ...
 01631   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01632   484   NtClose  (-2147482020, ... ) == 0x0
 01630   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01633   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0\34\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0", 52, 490, ... , 52, 490, ...
 01634   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\CdRom0"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01635   484   NtClose  (-2147482020, ... ) == 0x0
 01633   484   NtDeviceIoControlFile  ... {status=0x0, info=490},  ... {status=0x0, info=490}, "\352\1\0\0\2\0\0\0n\1\0\0`\0\0\08\0\0\0\32\1\0\0R\1\0\0\34\0v\0\316\1\0\0\34\0\\08\0\0\0\32\1o\0R\1\0\0\34\0\22\341\\0?\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\\0D\0e\0v\0i\0c\0e\0\\0C\0d\0R\0o\0m\00\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0D\0:\0", ) , ) == 0x0
 01636   484   NtClose  (204, ... ) == 0x0
 01637   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01638   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01639   484   NtClose  (204, ... ) == 0x0
 01640   484   NtQueryValueKey  (208,  (208, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01641   484   NtQueryValueKey  (208,  (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0j\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0j\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0I\0D\0E\0#\0C\0d\0R\0o\0m\0T\0E\0A\0C\0_\0C\0D\0-\02\02\04\0E\0-\0N\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\0_\01\0.\0A\0A\0_\0_\0_\0_\0#\03\00\03\01\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\01\03\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0j\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0j\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0k\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01642   484   NtClose  (208, ... ) == 0x0
 01643   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01644   484   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01645   484   NtClose  (208, ... ) == 0x0
 01646   484   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01647   484   NtClose  (204, ... ) == 0x0
 01648   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 96, ... 204, {status=0x0, info=0}, ) }, 3, 96, ... 204, {status=0x0, info=0}, ) == 0x0
 01649   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, ... 208, ) }, ... 208, ) == 0x0
 01650   484   NtQuerySymbolicLinkObject  (208, ...  (208, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0
 01651   484   NtClose  (208, ... ) == 0x0
 01652   484   NtQueryVolumeInformationFile  (204, 1234544, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01653   484   NtClose  (204, ... ) == 0x0
 01654   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\STORAGE#Volume#1&30a96598&0&SignatureEF3BEF3BOffset7E00LengthBFB48200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"}, 3, 16, ... 204, {status=0x0, info=0}, ) }, 3, 16, ... 204, {status=0x0, info=0}, ) == 0x0
 01655   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48},  (204, 0, 0x0, 0x0, 0x4d0008, 0x0, 0, 520, ... {status=0x0, info=48}, ".\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", ) , ) == 0x0
 01656   484   NtClose  (204, ... ) == 0x0
 01657   484   NtQueryInformationFile  (-1, 1234544, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01658   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1234496,  (0x100080, {24, 0, 0x40, 0, 1234496, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01659   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 32, ... , 70, 32, ...
 01660   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01661   484   NtClose  (-2147482020, ... ) == 0x0
 01659   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01662   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0008,  (204, 0, 0x0, 0x0, 0x6d0008, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\0\0.\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0", 70, 238, ... , 70, 238, ...
 01663   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\Device\HarddiskVolume1"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01664   484   NtClose  (-2147482020, ... ) == 0x0
 01662   484   NtDeviceIoControlFile  ... {status=0x0, info=238},  ... {status=0x0, info=238}, "\356\0\0\0\2\0\0\0r\0\0\0`\0\0\08\0\0\0\14\0\0\0D\0\0\0.\0v\0\322\0\0\0\34\0\\08\0\0\0\14\0d\0D\0\0\0.\0k\0;\357;\357\0~\0\0\0\0\0\0\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\\0D\0o\0s\0D\0e\0v\0i\0c\0e\0s\0\\0C\0:\0", ) , ) == 0x0
 01665   484   NtClose  (204, ... ) == 0x0
 01666   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01667   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01668   484   NtClose  (204, ... ) == 0x0
 01669   484   NtQueryValueKey  (208,  (208, "Data", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01670   484   NtQueryValueKey  (208,  (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\207\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0\207\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) , Partial, 712, ... TitleIdx=0, Type=3, Data= (208, "Data", Partial, 712, ... TitleIdx=0, Type=3, Data="\0\0\0\0\\0\\0?\0\\0S\0T\0O\0R\0A\0G\0E\0#\0V\0o\0l\0u\0m\0e\0#\01\0&\03\00\0a\09\06\05\09\08\0&\00\0&\0S\0i\0g\0n\0a\0t\0u\0r\0e\0E\0F\03\0B\0E\0F\03\0B\0O\0f\0f\0s\0e\0t\07\0E\00\00\0L\0e\0n\0g\0t\0h\0B\0F\0B\04\08\02\00\00\0#\0{\05\03\0f\05\06\03\00\0d\0-\0b\06\0b\0f\0-\01\01\0d\00\0-\09\04\0f\02\0-\00\00\0a\00\0c\09\01\0e\0f\0b\08\0b\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\0\\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\0\0\0\0\0\310\2\0\0\207\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\320\0\0\0\207\6\0\0\324\1\0\0\344\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\210\6\0\0\324\1\0\0\344\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0\304\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0T\0\0\0d\326\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\0\226\0\240\326\22\0\0\0\0\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0"}, 712, ) }, 712, ) == 0x0
 01671   484   NtClose  (208, ... ) == 0x0
 01672   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 208, ) }, ... 208, ) == 0x0
 01673   484   NtOpenKey  (0x2000000, {24, 208, 0x40, 0, 0,  (0x2000000, {24, 208, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 204, ) }, ... 204, ) == 0x0
 01674   484   NtClose  (208, ... ) == 0x0
 01675   484   NtQueryValueKey  (204,  (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01676   484   NtClose  (204, ... ) == 0x0
 01677   484   NtAllocateVirtualMemory  (-1, 1490944, 0, 4096, 4096, 4, ... 1490944, 4096, ) == 0x0
 01678   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01679   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01680   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01681   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01682   484   NtClose  (-2147482020, ... ) == 0x0
 01680   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01683   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01684   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01685   484   NtClose  (-2147482020, ... ) == 0x0
 01683   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01686   484   NtClose  (204, ... ) == 0x0
 01687   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01688   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01689   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01690   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01691   484   NtClose  (-2147482020, ... ) == 0x0
 01689   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01692   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\09\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01693   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e9-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01694   484   NtClose  (-2147482020, ... ) == 0x0
 01692   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0C\0:\0\0\0\0\0", ) , ) == 0x0
 01695   484   NtClose  (204, ... ) == 0x0
 01696   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01697   484   NtSetValueKey  (204,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01698   484   NtClose  (204, ... ) == 0x0
 01699   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01700   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01701   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01702   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01703   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01704   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01705   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01706   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\C\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01707   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01708   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01709   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01710   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01711   484   NtClose  (-2147482020, ... ) == 0x0
 01709   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01712   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01713   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01714   484   NtClose  (-2147482020, ... ) == 0x0
 01712   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01715   484   NtClose  (204, ... ) == 0x0
 01716   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01717   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01718   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01719   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01720   484   NtClose  (-2147482020, ... ) == 0x0
 01718   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01721   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\07\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01722   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e7-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=0}, ) }, 0, 64, ... -2147482020, {status=0x0, info=0}, ) == 0x0
 01723   484   NtClose  (-2147482020, ... ) == 0x0
 01721   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0D\0:\0\0\0\0\0", ) , ) == 0x0
 01724   484   NtClose  (204, ... ) == 0x0
 01725   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e7-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01726   484   NtSetValueKey  (204,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01727   484   NtClose  (204, ... ) == 0x0
 01728   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01729   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01730   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01731   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01732   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01733   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01734   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01735   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\D\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01736   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01737   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01738   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01739   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01740   484   NtClose  (-2147482020, ... ) == 0x0
 01738   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01741   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01742   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01743   484   NtClose  (-2147482020, ... ) == 0x0
 01741   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01744   484   NtClose  (204, ... ) == 0x0
 01745   484   NtQueryInformationFile  (-1, 1235748, 4, Ea, ... ) == STATUS_OBJECT_TYPE_MISMATCH
 01746   484   NtCreateFile  (0x100080, {24, 0, 0x40, 0, 1235700,  (0x100080, {24, 0, 0x40, 0, 1235700, "\??\MountPointManager"}, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 96, 0, 0, ... 204, {status=0x0, info=0}, ) == 0x0
 01747   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 8, ... , 520, 8, ...
 01748   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01749   484   NtClose  (-2147482020, ... ) == 0x0
 01747   484   NtDeviceIoControlFile  ... ) == STATUS_BUFFER_OVERFLOW
 01750   484   NtDeviceIoControlFile  (204, 0, 0x0, 0x0, 0x6d0034,  (204, 0, 0x0, 0x0, 0x6d0034, "`\0\\0?\0?\0\\0V\0o\0l\0u\0m\0e\0{\01\0a\00\03\01\05\0e\06\0-\0a\04\0b\0a\0-\01\01\0d\0b\0-\09\0d\00\02\0-\08\00\06\0d\06\01\07\02\06\09\06\0f\0}\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 520, 16, ... , 520, 16, ...
 01751   484   NtOpenFile  (0x80, {24, 0, 0x200, 0, 0,  (0x80, {24, 0, 0x200, 0, 0, "\??\Volume{1a0315e6-a4ba-11db-9d02-806d6172696f}"}, 0, 64, ... -2147482020, {status=0x0, info=1}, ) }, 0, 64, ... -2147482020, {status=0x0, info=1}, ) == 0x0
 01752   484   NtClose  (-2147482020, ... ) == 0x0
 01750   484   NtDeviceIoControlFile  ... {status=0x0, info=12},  ... {status=0x0, info=12}, "\10\0\0\0A\0:\0\0\0\0\0", ) , ) == 0x0
 01753   484   NtClose  (204, ... ) == 0x0
 01754   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a0315e6-a4ba-11db-9d02-806d6172696f}\"}, 0, 0x0, 0, ... 204, 2, ) }, 0, 0x0, 0, ... 204, 2, ) == 0x0
 01755   484   NtSetValueKey  (204,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 0, 1,  (204, "BaseClass", 0, 1, "D\0r\0i\0v\0e\0\0\0", 12, ... ) , 12, ... ) == 0x0
 01756   484   NtClose  (204, ... ) == 0x0
 01757   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01758   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01759   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01760   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultIcon"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01761   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01762   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01763   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01764   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Applications\Explorer.exe\Drives\A\DefaultLabel"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01765   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01766   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01767   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\F:"}, 3, 96, ... 204, {status=0x0, info=1}, ) }, 3, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01768   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\F:"}, ... 208, ) }, ... 208, ) == 0x0
 01769   484   NtQuerySymbolicLinkObject  (208, ...  (208, ... "\Device\WinDfs\F:0000000000009233", 66, ) , 66, ) == 0x0
 01770   484   NtClose  (208, ... ) == 0x0
 01771   484   NtQueryVolumeInformationFile  (204, 1235792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01772   484   NtClose  (204, ... ) == 0x0
 01773   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01774   484   NtOpenFile  (0x100080, {24, 0, 0x40, 0, 0,  (0x100080, {24, 0, 0x40, 0, 0, "\??\U:"}, 3, 96, ... 204, {status=0x0, info=1}, ) }, 3, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01775   484   NtOpenSymbolicLinkObject  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\??\U:"}, ... 208, ) }, ... 208, ) == 0x0
 01776   484   NtQuerySymbolicLinkObject  (208, ...  (208, ... "\Device\WinDfs\U:0000000000009233", 66, ) , 66, ) == 0x0
 01777   484   NtClose  (208, ... ) == 0x0
 01778   484   NtQueryVolumeInformationFile  (204, 1235792, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 01779   484   NtClose  (204, ... ) == 0x0
 01780   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 01781   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 01782   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 01783   484   NtClose  (204, ... ) == 0x0
 01784   484   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01785   484   NtClose  (208, ... ) == 0x0
 01786   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 01787   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233980, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233980, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 01788   484   NtClose  (208, ... ) == 0x0
 01789   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 01790   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01791   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Directory"}, ... 208, ) }, ... 208, ) == 0x0
 01792   484   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01793   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01794   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01795   484   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01796   484   NtClose  (204, ... ) == 0x0
 01797   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01798   484   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01799   484   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01800   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01801   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 01802   484   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01803   484   NtClose  (204, ... ) == 0x0
 01804   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01805   484   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0, ""}, ... 204, ) == 0x0
 01806   484   NtClose  (210, ... ) == 0x0
 01807   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 01808   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 01809   484   NtReleaseSemaphore  (168, 1, ... 0, ) == 0x0
 01810   484   NtWaitForSingleObject  (168, 0, {0, 0}, ... ) == 0x0
 01811   484   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01812   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01813   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01814   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01815   484   NtClose  (208, ... ) == 0x0
 01816   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01817   484   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\IconHandler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01818   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01819   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01820   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01821   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01822   484   NtClose  (208, ... ) == 0x0
 01823   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01824   484   NtQueryValueKey  (206,  (206, "DocObject", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01825   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01826   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01827   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01828   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01829   484   NtClose  (208, ... ) == 0x0
 01830   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01831   484   NtQueryValueKey  (206,  (206, "BrowseInPlace", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832   484   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01833   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01834   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 01835   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01836   484   NtClose  (208, ... ) == 0x0
 01837   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01838   484   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01839   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 01840   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "Folder"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01841   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Folder"}, ... 208, ) }, ... 208, ) == 0x0
 01842   484   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Foldert"}, 86, ) }, 86, ) == 0x0
 01843   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01844   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01845   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01846   484   NtClose  (212, ... ) == 0x0
 01847   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Folder\Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01848   484   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "Clsid"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01849   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01850   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01851   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01852   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01853   484   NtClose  (212, ... ) == 0x0
 01854   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01855   484   NtQueryValueKey  (206,  (206, "IsShortcut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01856   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01857   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01858   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01859   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01860   484   NtClose  (212, ... ) == 0x0
 01861   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01862   484   NtQueryValueKey  (206,  (206, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (206, "AlwaysShowExt", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01863   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\Directory"}, 92, ) }, 92, ) == 0x0
 01864   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01865   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 01866   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01867   484   NtClose  (212, ... ) == 0x0
 01868   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\Directory"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01869   484   NtQueryValueKey  (206,  (206, "NeverShowExt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01870   484   NtClose  (206, ... ) == 0x0
 01871   484   NtClose  (210, ... ) == 0x0
 01872   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 01873   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233884, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233884, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 01874   484   NtClose  (208, ... ) == 0x0
 01875   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 01876   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233804, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233804, 616, BothDirectory, 1, "My Documents", 0, ... {status=0x0, info=118}, ) , 0, ... {status=0x0, info=118}, ) == 0x0
 01877   484   NtClose  (208, ... ) == 0x0
 01878   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01879   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01880   484   NtAllocateVirtualMemory  (-1, 1220608, 0, 4096, 4096, 260, ... 1220608, 4096, ) == 0x0
 01881   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229176, ... ) }, 1229176, ... ) == 0x0
 01882   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01883   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01884   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01885   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01886   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01887   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01888   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01889   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01890   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01891   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01892   484   NtClose  (208, ... ) == 0x0
 01893   484   NtAllocateVirtualMemory  (-1, 1495040, 0, 4096, 4096, 4, ... 1495040, 4096, ) == 0x0
 01894   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01895   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01896   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01897   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01898   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01899   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01900   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01901   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01902   484   NtClose  (208, ... ) == 0x0
 01903   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 01904   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01905   484   NtClose  (208, ... ) == 0x0
 01906   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01907   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01908   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229176, ... ) }, 1229176, ... ) == 0x0
 01909   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01910   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01911   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01912   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01913   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01914   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01915   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01916   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01917   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01918   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01919   484   NtClose  (208, ... ) == 0x0
 01920   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01921   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01922   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01923   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01924   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01925   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01926   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01927   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01928   484   NtClose  (208, ... ) == 0x0
 01929   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 01930   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01931   484   NtClose  (208, ... ) == 0x0
 01932   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01933   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01934   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1231232, ... ) }, 1231232, ... ) == 0x0
 01935   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01936   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01937   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01938   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01939   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01940   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01941   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01942   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01943   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01944   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01945   484   NtClose  (208, ... ) == 0x0
 01946   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01947   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01948   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229512, ... ) }, 1229512, ... ) == 0x0
 01949   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01950   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01951   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01952   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01953   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01954   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01955   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01956   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01957   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01958   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01959   484   NtClose  (208, ... ) == 0x0
 01960   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 01961   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01962   484   NtClose  (208, ... ) == 0x0
 01963   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01964   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01965   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229512, ... ) }, 1229512, ... ) == 0x0
 01966   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01967   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01968   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01969   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01970   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01971   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01972   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01973   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01974   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01975   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01976   484   NtClose  (208, ... ) == 0x0
 01977   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 01978   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01979   484   NtClose  (208, ... ) == 0x0
 01980   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01981   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01982   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 1229512, ... ) }, 1229512, ... ) == 0x0
 01983   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 01984   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 01985   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\My Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01986   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 01987   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01988   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048659, 8192, 4, ... 11010048, 1052672, ) == 0x0
 01989   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 83, 4096, 4, ... 11010048, 4096, ) == 0x0
 01990   484   NtReadFile  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79},  (208, 0, 0, 0, 79, 0x0, 2012046884, ... {status=0x0, info=79}, "[DeleteOnCopy]\15\12Owner=SRI-user\15\12Personalized=5\15\12PersonalizedName=My Documents\15\12", ) , ) == 0x0
 01991   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 01992   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 01993   484   NtClose  (208, ... ) == 0x0
 01994   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 01995   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 01996   484   NtClose  (208, ... ) == 0x0
 01997   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 01998   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 01999   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 02000   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 02001   484   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02002   484   NtQueryValueKey  (208,  (208, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (208, "Common Documents", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 68, ) }, 68, ) == 0x0
 02003   484   NtClose  (208, ... ) == 0x0
 02004   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents"}, 1235664, ... ) }, 1235664, ... ) == 0x0
 02005   484   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02006   484   NtSetValueKey  (208,  (208, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 0, 1,  (208, "Common Documents", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0", 92, ... ) , 92, ... ) == 0x0
 02007   484   NtClose  (208, ... ) == 0x0
 02008   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234076, ... ) }, 1234076, ... ) == 0x0
 02009   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02010   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ... 204, ) == 0x0
 02011   484   NtClose  (208, ... ) == 0x0
 02012   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa80000), 0x0, 262144, ) == 0x0
 02013   484   NtClose  (204, ... ) == 0x0
 02014   484   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 02015   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02016   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02017   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 02018   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 02019   484   NtClose  (204, ... ) == 0x0
 02020   484   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02021   484   NtClose  (208, ... ) == 0x0
 02022   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02023   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233984, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233984, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02024   484   NtClose  (208, ... ) == 0x0
 02025   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02026   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233892, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233892, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02027   484   NtClose  (208, ... ) == 0x0
 02028   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02029   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233820, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233820, 616, BothDirectory, 1, "Documents", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02030   484   NtClose  (208, ... ) == 0x0
 02031   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02032   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02033   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229192, ... ) }, 1229192, ... ) == 0x0
 02034   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02035   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02036   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02037   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02038   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02039   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11010048, 1052672, ) == 0x0
 02040   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 142, 4096, 4, ... 11010048, 4096, ) == 0x0
 02041   484   NtReadFile  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02042   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 02043   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 02044   484   NtClose  (208, ... ) == 0x0
 02045   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 02046   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02047   484   NtClose  (208, ... ) == 0x0
 02048   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02049   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02050   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229164, ... ) }, 1229164, ... ) == 0x0
 02051   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02052   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02053   484   NtAllocateVirtualMemory  (-1, 1499136, 0, 4096, 4096, 4, ... 1499136, 4096, ) == 0x0
 02054   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02055   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02056   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02057   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11010048, 1052672, ) == 0x0
 02058   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 142, 4096, 4, ... 11010048, 4096, ) == 0x0
 02059   484   NtReadFile  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02060   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 02061   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 02062   484   NtClose  (208, ... ) == 0x0
 02063   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02064   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02065   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229528, ... ) }, 1229528, ... ) == 0x0
 02066   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02067   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02068   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02069   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02070   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02071   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11010048, 1052672, ) == 0x0
 02072   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 142, 4096, 4, ... 11010048, 4096, ) == 0x0
 02073   484   NtReadFile  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02074   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 02075   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 02076   484   NtClose  (208, ... ) == 0x0
 02077   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 02078   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02079   484   NtClose  (208, ... ) == 0x0
 02080   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02081   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02082   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229528, ... ) }, 1229528, ... ) == 0x0
 02083   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02084   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02085   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02086   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02087   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02088   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11010048, 1052672, ) == 0x0
 02089   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 142, 4096, 4, ... 11010048, 4096, ) == 0x0
 02090   484   NtReadFile  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02091   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 02092   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 02093   484   NtClose  (208, ... ) == 0x0
 02094   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 02095   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02096   484   NtClose  (208, ... ) == 0x0
 02097   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02098   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02099   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 1229528, ... ) }, 1229528, ... ) == 0x0
 02100   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02101   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02102   484   NtOpenFile  (0x80100000, {24, 0, 0x40, 0, 0,  (0x80100000, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Documents\desktop.ini"}, 7, 96, ... 208, {status=0x0, info=1}, ) }, 7, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02103   484   NtLockFile  (208, 0, 0, 0, {0, 0}, {-1, -1}, 1, 0, 0, ... {status=0x0, info=-2142329745}, ) == 0x0
 02104   484   NtQueryInformationFile  (208, 1484872, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02105   484   NtAllocateVirtualMemory  (-1, 0, 0, 1048718, 8192, 4, ... 11010048, 1052672, ) == 0x0
 02106   484   NtAllocateVirtualMemory  (-1, 11010048, 0, 142, 4096, 4, ... 11010048, 4096, ) == 0x0
 02107   484   NtReadFile  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138},  (208, 0, 0, 0, 138, 0x0, 2012046884, ... {status=0x0, info=138}, "[.ShellClassInfo]\15\12LocalizedResourceName=@shell32.dll,-21785\15\12[FileSharingInformation]\15\12ShortcutName=Shared Documents on SRI-S3S1K11CZE9\15\12", ) , ) == 0x0
 02108   484   NtFreeVirtualMemory  (-1, (0xa80000), 1052672, 32768, ... (0xa80000), 1052672, ) == 0x0
 02109   484   NtUnlockFile  (208, {0, 0}, {-1, -1}, 484, ... ) == STATUS_RANGE_NOT_LOCKED
 02110   484   NtClose  (208, ... ) == 0x0
 02111   484   NtOpenProcessToken  (-1, 0x8, ... 208, ) == 0x0
 02112   484   NtQueryInformationToken  (208, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 02113   484   NtClose  (208, ... ) == 0x0
 02114   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02115   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 02116   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 02117   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 02118   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 02119   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02120   484   NtQueryValueKey  (208,  (208, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (208, "Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 56, ) }, 56, ) == 0x0
 02121   484   NtClose  (208, ... ) == 0x0
 02122   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Desktop"}, 1235664, ... ) }, 1235664, ... ) == 0x0
 02123   484   NtCreateKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02124   484   NtSetValueKey  (208,  (208, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 0, 1,  (208, "Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 86, ... ) , 86, ... ) == 0x0
 02125   484   NtClose  (208, ... ) == 0x0
 02126   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234076, ... ) }, 1234076, ... ) == 0x0
 02127   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02128   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ... 204, ) == 0x0
 02129   484   NtClose  (208, ... ) == 0x0
 02130   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa80000), 0x0, 262144, ) == 0x0
 02131   484   NtClose  (204, ... ) == 0x0
 02132   484   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 02133   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02134   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02135   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 02136   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 02137   484   NtClose  (204, ... ) == 0x0
 02138   484   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02139   484   NtClose  (208, ... ) == 0x0
 02140   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02141   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233992, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233992, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02142   484   NtClose  (208, ... ) == 0x0
 02143   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02144   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233904, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233904, 616, BothDirectory, 1, "SRI-user", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02145   484   NtClose  (208, ... ) == 0x0
 02146   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02147   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233836, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233836, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02148   484   NtClose  (208, ... ) == 0x0
 02149   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 02150   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 02151   484   NtReleaseSemaphore  (176, 1, ... 0, ) == 0x0
 02152   484   NtWaitForSingleObject  (176, 0, {0, 0}, ... ) == 0x0
 02153   484   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02154   484   NtQueryValueKey  (208,  (208, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (208, "Common Desktop", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0"}, 64, ) }, 64, ) == 0x0
 02155   484   NtClose  (208, ... ) == 0x0
 02156   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Desktop"}, 1235664, ... ) }, 1235664, ... ) == 0x0
 02157   484   NtCreateKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 208, 2, ) }, 0, 0x0, 0, ... 208, 2, ) == 0x0
 02158   484   NtSetValueKey  (208,  (208, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 0, 1,  (208, "Common Desktop", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0D\0e\0s\0k\0t\0o\0p\0\0\0", 88, ... ) , 88, ... ) == 0x0
 02159   484   NtClose  (208, ... ) == 0x0
 02160   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 1234076, ... ) }, 1234076, ... ) == 0x0
 02161   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\rpcss.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 02162   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 208, ... 204, ) == 0x0
 02163   484   NtClose  (208, ... ) == 0x0
 02164   484   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa80000), 0x0, 262144, ) == 0x0
 02165   484   NtClose  (204, ... ) == 0x0
 02166   484   NtUnmapViewOfSection  (-1, 0xa80000, ... ) == 0x0
 02167   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02168   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02169   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume"}, ... 204, ) }, ... 204, ) == 0x0
 02170   484   NtOpenKey  (0x2000000, {24, 204, 0x40, 0, 0,  (0x2000000, {24, 204, 0x40, 0, 0, "{1a0315e9-a4ba-11db-9d02-806d6172696f}\"}, ... 208, ) }, ... 208, ) == 0x0
 02171   484   NtClose  (204, ... ) == 0x0
 02172   484   NtQueryValueKey  (208,  (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "Generation", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02173   484   NtClose  (208, ... ) == 0x0
 02174   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02175   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233988, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233988, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02176   484   NtClose  (208, ... ) == 0x0
 02177   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02178   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233900, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233900, 616, BothDirectory, 1, "All Users", 0, ... {status=0x0, info=112}, ) , 0, ... {status=0x0, info=112}, ) == 0x0
 02179   484   NtClose  (208, ... ) == 0x0
 02180   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\"}, 3, 16417, ... 208, {status=0x0, info=1}, ) }, 3, 16417, ... 208, {status=0x0, info=1}, ) == 0x0
 02181   484   NtQueryDirectoryFile  (208, 0, 0, 0, 1233832, 616, BothDirectory, 1,  (208, 0, 0, 0, 1233832, 616, BothDirectory, 1, "Desktop", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02182   484   NtClose  (208, ... ) == 0x0
 02183   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"}, ... 208, ) }, ... 208, ) == 0x0
 02184   484   NtEnumerateValueKey  (208, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (208, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) , Data= (208, 0, Full, 220, ... TitleIdx=0, Type=1, Name="{AEB6717E-7E19-11d0-97EE-00C04FD91972}", Data="\0\0"}, 98, ) }, 98, ) == 0x0
 02185   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESr"}, 138, ) }, 138, ) == 0x0
 02186   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, "CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02187   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\InProcServer32"}, ... 204, ) }, ... 204, ) == 0x0
 02188   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02189   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02190   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02191   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02192   484   NtClose  (212, ... ) == 0x0
 02193   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   484   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0\0\0"}, 36, ) }, 36, ) == 0x0
 02195   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, 192, ) }, 192, ) == 0x0
 02196   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02197   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02198   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02199   484   NtClose  (212, ... ) == 0x0
 02200   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02201   484   NtQueryValueKey  (206,  (206, "LoadWithoutCOM", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   484   NtClose  (206, ... ) == 0x0
 02203   484   NtEnumerateValueKey  (208, 1, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02204   484   NtClose  (208, ... ) == 0x0
 02205   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 02206   484   NtQueryValueKey  (208,  (208, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (208, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) , Data= (208, "TransparentEnabled", Full, 524, ... TitleIdx=0, Type=4, Name="TransparentEnabled", Data="\1\0\0\0"}, 60, ) }, 60, ) == 0x0
 02207   484   NtClose  (208, ... ) == 0x0
 02208   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02209   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02210   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1236000, ... ) }, 1236000, ... ) == 0x0
 02211   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02212   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02213   484   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 208, ) }, ... 208, ) == 0x0
 02214   484   NtQueryValueKey  (208,  (208, "ExecutableTypes", Partial, 0, ... ) , Partial, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 02215   484   NtQueryValueKey  (208,  (208, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) , Partial, 260, ... TitleIdx=0, Type=7, Data= (208, "ExecutableTypes", Partial, 260, ... TitleIdx=0, Type=7, Data="A\0D\0E\0\0\0A\0D\0P\0\0\0B\0A\0S\0\0\0B\0A\0T\0\0\0C\0H\0M\0\0\0C\0M\0D\0\0\0C\0O\0M\0\0\0C\0P\0L\0\0\0C\0R\0T\0\0\0E\0X\0E\0\0\0H\0L\0P\0\0\0H\0T\0A\0\0\0I\0N\0F\0\0\0I\0N\0S\0\0\0I\0S\0P\0\0\0L\0N\0K\0\0\0M\0D\0B\0\0\0M\0D\0E\0\0\0M\0S\0C\0\0\0M\0S\0I\0\0\0M\0S\0P\0\0\0M\0S\0T\0\0\0O\0C\0X\0\0\0P\0C\0D\0\0\0P\0I\0F\0\0\0R\0E\0G\0\0\0S\0C\0R\0\0\0S\0H\0S\0\0\0U\0R\0L\0\0\0V\0B\0\0\0W\0S\0C\0\0\0\0\0"}, 260, ) }, 260, ) == 0x0
 02216   484   NtClose  (208, ... ) == 0x0
 02217   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02218   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02219   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02220   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESD"}, 138, ) }, 138, ) == 0x0
 02222   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02223   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 208, ) }, ... 208, ) == 0x0
 02224   484   NtQueryKey  (210, Name, 392, ... {Name= (210, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02225   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02226   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02227   484   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02228   484   NtClose  (204, ... ) == 0x0
 02229   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02230   484   NtQueryValueKey  (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (210, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02231   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02232   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02233   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 204, ) }, ... 204, ) == 0x0
 02234   484   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02235   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02236   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02237   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02238   484   NtClose  (212, ... ) == 0x0
 02239   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02240   484   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02241   484   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02242   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02243   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02244   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02245   484   NtClose  (212, ... ) == 0x0
 02246   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02247   484   NtOpenKey  (0x2000000, {24, 206, 0x40, 0, 0, ""}, ... 212, ) == 0x0
 02248   484   NtClose  (206, ... ) == 0x0
 02249   484   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02250   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02251   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02252   484   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02253   484   NtClose  (204, ... ) == 0x0
 02254   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02255   484   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02256   484   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.batC"}, 82, ) }, 82, ) == 0x0
 02257   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02258   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 204, ) == 0x0
 02259   484   NtQueryInformationToken  (204, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02260   484   NtClose  (204, ... ) == 0x0
 02261   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02262   484   NtOpenKey  (0x1, {24, 210, 0x40, 0, 0,  (0x1, {24, 210, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02264   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02265   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\SystemFileAssociations\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSESs"}, 138, ) }, 138, ) == 0x0
 02267   484   NtOpenKey  (0x1, {24, 150, 0x40, 0, 0,  (0x1, {24, 150, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02268   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 02269   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02270   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02271   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02272   484   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02273   484   NtClose  (216, ... ) == 0x0
 02274   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02275   484   NtQueryValueKey  (206,  (206, "PerceivedType", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02276   484   NtClose  (206, ... ) == 0x0
 02277   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02278   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "*"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02279   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\*"}, ... 204, ) }, ... 204, ) == 0x0
 02280   484   NtQueryKey  (206, Name, 384, ... {Name= (206, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\*"}, 76, ) }, 76, ) == 0x0
 02281   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02282   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02283   484   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02284   484   NtClose  (216, ... ) == 0x0
 02285   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\*\ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02286   484   NtOpenKey  (0x1, {24, 206, 0x40, 0, 0,  (0x1, {24, 206, 0x40, 0, 0, "ShellEx\{C46CA590-3C3F-11D2-BEE6-0000F805CA57}"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02287   484   NtClose  (210, ... ) == 0x0
 02288   484   NtClose  (214, ... ) == 0x0
 02289   484   NtClose  (206, ... ) == 0x0
 02290   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02291   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02292   484   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02293   484   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02295   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, ".bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02296   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\.bat"}, ... 204, ) }, ... 204, ) == 0x0
 02297   484   NtQueryKey  (206, Name, 392, ... {Name= (206, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\.bato"}, 82, ) }, 82, ) == 0x0
 02298   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02299   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02300   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02301   484   NtClose  (212, ... ) == 0x0
 02302   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02303   484   NtQueryValueKey  (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data= (206, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data="b\0a\0t\0f\0i\0l\0e\0\0\0"}, 28, ) }, 28, ) == 0x0
 02304   484   NtQueryKey  (150, Name, 384, ... {Name= (150, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02305   484   NtOpenKey  (0x2000000, {24, 150, 0x40, 0, 0,  (0x2000000, {24, 150, 0x40, 0, 0, "batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02306   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\batfile"}, ... 212, ) }, ... 212, ) == 0x0
 02307   484   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02308   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02309   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02310   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02311   484   NtClose  (208, ... ) == 0x0
 02312   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   484   NtOpenKey  (0x1, {24, 214, 0x40, 0, 0,  (0x1, {24, 214, 0x40, 0, 0, "CurVer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   484   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02315   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02316   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 208, ) == 0x0
 02317   484   NtQueryInformationToken  (208, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02318   484   NtClose  (208, ... ) == 0x0
 02319   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320   484   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0, ""}, ... 208, ) == 0x0
 02321   484   NtClose  (214, ... ) == 0x0
 02322   484   NtQueryKey  (210, Name, 384, ... {Name= (210, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile"}, 88, ) }, 88, ) == 0x0
 02323   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02324   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02325   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02326   484   NtClose  (212, ... ) == 0x0
 02327   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   484   NtOpenKey  (0x2000000, {24, 210, 0x40, 0, 0,  (0x2000000, {24, 210, 0x40, 0, 0, "shell"}, ... 212, ) }, ... 212, ) == 0x0
 02329   484   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02330   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02331   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02332   484   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02333   484   NtClose  (216, ... ) == 0x0
 02334   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   484   NtQueryValueKey  (214, 0x0, Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   484   NtQueryKey  (214, Name, 384, ... {Name= (214, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell"}, 100, ) }, 100, ) == 0x0
 02337   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02338   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 216, ) == 0x0
 02339   484   NtQueryInformationToken  (216, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02340   484   NtClose  (216, ... ) == 0x0
 02341   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   484   NtOpenKey  (0x2000000, {24, 214, 0x40, 0, 0,  (0x2000000, {24, 214, 0x40, 0, 0, "open"}, ... 216, ) }, ... 216, ) == 0x0
 02343   484   NtClose  (214, ... ) == 0x0
 02344   484   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02345   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02346   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02347   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02348   484   NtClose  (212, ... ) == 0x0
 02349   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   484   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "command"}, ... 212, ) }, ... 212, ) == 0x0
 02351   484   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02352   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02353   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02354   484   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02355   484   NtClose  (220, ... ) == 0x0
 02356   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02357   484   NtQueryValueKey  (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02358   484   NtClose  (214, ... ) == 0x0
 02359   484   NtOpenKey  (0x2000000, {24, 84, 0x40, 0, 0,  (0x2000000, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   484   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02361   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02362   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02363   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02364   484   NtClose  (212, ... ) == 0x0
 02365   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02366   484   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "command"}, ... 212, ) }, ... 212, ) == 0x0
 02367   484   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02368   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02369   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02370   484   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02371   484   NtClose  (220, ... ) == 0x0
 02372   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02373   484   NtQueryValueKey  (214,  (214, "command", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02374   484   NtClose  (214, ... ) == 0x0
 02375   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   484   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\opent"}, 110, ) }, 110, ) == 0x0
 02377   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02378   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02379   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02380   484   NtClose  (212, ... ) == 0x0
 02381   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02382   484   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "command"}, ... 212, ) }, ... 212, ) == 0x0
 02383   484   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02384   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02385   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02386   484   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02387   484   NtClose  (220, ... ) == 0x0
 02388   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02389   484   NtQueryValueKey  (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02390   484   NtClose  (214, ... ) == 0x0
 02391   484   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02392   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02393   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02394   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02395   484   NtClose  (212, ... ) == 0x0
 02396   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02397   484   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "ddeexec"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02398   484   NtUserGetForegroundWindow  (... ) == 0x20064
 02399   484   NtQueryKey  (218, Name, 384, ... {Name= (218, Name, 384, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open3"}, 110, ) }, 110, ) == 0x0
 02400   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02401   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 212, ) == 0x0
 02402   484   NtQueryInformationToken  (212, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02403   484   NtClose  (212, ... ) == 0x0
 02404   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02405   484   NtOpenKey  (0x1, {24, 218, 0x40, 0, 0,  (0x1, {24, 218, 0x40, 0, 0, "command"}, ... 212, ) }, ... 212, ) == 0x0
 02406   484   NtQueryKey  (214, Name, 392, ... {Name= (214, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command8"}, 126, ) }, 126, ) == 0x0
 02407   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02408   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 220, ) == 0x0
 02409   484   NtQueryInformationToken  (220, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02410   484   NtClose  (220, ... ) == 0x0
 02411   484   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\batfile\shell\open\command"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02412   484   NtQueryValueKey  (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=" (214, 0x0, Partial, 144, ... TitleIdx=0, Type=1, Data=""\0%\01\0"\0 \0%\0*\0\0\0"}, 28, ) \0 \0%\0*\0\0\0"}, 28, ) == 0x0
 02413   484   NtClose  (214, ... ) == 0x0
 02414   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02415   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02416   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02417   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 212, ) }, ... 212, ) == 0x0
 02418   484   NtQueryValueKey  (212,  (212, "RestrictRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02419   484   NtClose  (212, ... ) == 0x0
 02420   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02421   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02422   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02423   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 212, ) }, ... 212, ) == 0x0
 02424   484   NtQueryValueKey  (212,  (212, "DisallowRun", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02425   484   NtClose  (212, ... ) == 0x0
 02426   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\AppCompatibility\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02427   484   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\CheckBadApps"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02428   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02429   484   NtReleaseSemaphore  (152, 1, ... 0, ) == 0x0
 02430   484   NtWaitForSingleObject  (152, 0, {0, 0}, ... ) == 0x0
 02431   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02432   484   NtOpenKey  (0x1, {24, 84, 0x40, 0, 0,  (0x1, {24, 84, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"}, ... 212, ) }, ... 212, ) == 0x0
 02433   484   NtQueryValueKey  (212,  (212, "NoRunasInstallPrompt", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02434   484   NtClose  (212, ... ) == 0x0
 02435   484   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\App Paths\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02436   484   NtQueryInformationJobObject  (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED
 02437   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231300, ... ) }, 1231300, ... ) == 0x0
 02438   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1231992, ... ) }, 1231992, ... ) == 0x0
 02439   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02440   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 212, ... ) == STATUS_INVALID_IMAGE_NOT_MZ
 02441   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 220, ) }, ... 220, ) == 0x0
 02442   484   NtQueryValueKey  (220,  (220, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02443   484   NtClose  (220, ... ) == 0x0
 02444   484   NtQueryVolumeInformationFile  (212, 1231300, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02445   484   NtOpenMutant  (0x120001, {24, 52, 0x0, 0, 0,  (0x120001, {24, 52, 0x0, 0, 0, "ShimCacheMutex"}, ... 220, ) }, ... 220, ) == 0x0
 02446   484   NtAllocateVirtualMemory  (-1, 1503232, 0, 4096, 4096, 4, ... 1503232, 4096, ) == 0x0
 02447   484   NtWaitForSingleObject  (220, 0, {-1000000, -1}, ... ) == 0x0
 02448   484   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "ShimSharedMemory"}, ... 224, ) }, ... 224, ) == 0x0
 02449   484   NtMapViewOfSection  (224, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa80000), {0, 0}, 57344, ) == 0x0
 02450   484   NtReleaseMutant  (220, ... 0x0, ) == 0x0
 02451   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229284, ... ) }, 1229284, ... ) == 0x0
 02452   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 228, {status=0x0, info=1}, ) }, 5, 96, ... 228, {status=0x0, info=1}, ) == 0x0
 02453   484   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 228, ... 232, ) == 0x0
 02454   484   NtClose  (228, ... ) == 0x0
 02455   484   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa90000), 0x0, 106496, ) == 0x0
 02456   484   NtClose  (232, ... ) == 0x0
 02457   484   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02458   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1229600, ... ) }, 1229600, ... ) == 0x0
 02459   484   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 02460   484   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 228, ) == 0x0
 02461   484   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02462   484   NtClose  (232, ... ) == 0x0
 02463   484   NtMapViewOfSection  (228, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75f40000), 0x0, 118784, ) == 0x0
 02464   484   NtClose  (228, ... ) == 0x0
 02465   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 228, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 228, {status=0x0, info=1}, ) == 0x0
 02466   484   NtQueryInformationFile  (228, 1229888, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02467   484   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 228, ... 232, ) == 0x0
 02468   484   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0xa90000), 0x0, 1028096, ) == 0x0
 02469   484   NtQueryInformationFile  (228, 1229984, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02470   484   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 0,  (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02471   484   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02472   484   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 02473   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02474   484   NtQueryDirectoryFile  (236, 0, 0, 0, 1227548, 616, BothDirectory, 1,  (236, 0, 0, 0, 1227548, 616, BothDirectory, 1, "tmp-490-wlr.bat", 0, ... {status=0x0, info=124}, ) , 0, ... {status=0x0, info=124}, ) == 0x0
 02475   484   NtClose  (236, ... ) == 0x0
 02476   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02477   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02478   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1226936, ... ) }, 1226936, ... ) == 0x0
 02479   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02480   484   NtQueryDirectoryFile  (236, 0, 0, 0, 1226296, 616, BothDirectory, 1,  (236, 0, 0, 0, 1226296, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02481   484   NtClose  (236, ... ) == 0x0
 02482   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02483   484   NtQueryDirectoryFile  (236, 0, 0, 0, 1226296, 616, BothDirectory, 1,  (236, 0, 0, 0, 1226296, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02484   484   NtClose  (236, ... ) == 0x0
 02485   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02486   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02487   484   NtQueryInformationProcess  (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0
 02488   484   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02489   484   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 236, ) == 0x0
 02490   484   NtQueryInformationToken  (236, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02491   484   NtClose  (236, ... ) == 0x0
 02492   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02493   484   NtOpenKey  (0x80000100, {24, 0, 0x40, 0, 0,  (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\tmp-490-wlr.bat"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02494   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02495   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02496   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\tmp-490-wlr.bat"}, 1229216, ... ) }, 1229216, ... ) == 0x0
 02497   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02498   484   NtQueryDirectoryFile  (236, 0, 0, 0, 1228576, 616, BothDirectory, 1,  (236, 0, 0, 0, 1228576, 616, BothDirectory, 1, "WINDOWS", 0, ... {status=0x0, info=108}, ) , 0, ... {status=0x0, info=108}, ) == 0x0
 02499   484   NtClose  (236, ... ) == 0x0
 02500   484   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 3, 16417, ... 236, {status=0x0, info=1}, ) }, 3, 16417, ... 236, {status=0x0, info=1}, ) == 0x0
 02501   484   NtQueryDirectoryFile  (236, 0, 0, 0, 1228576, 616, BothDirectory, 1,  (236, 0, 0, 0, 1228576, 616, BothDirectory, 1, "System32", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0
 02502   484   NtClose  (236, ... ) == 0x0
 02503   484   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02504   484   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02505   484   NtWaitForSingleObject  (220, 0, {-1000000, -1}, ... ) == 0x0
 02506   484   NtQueryVolumeInformationFile  (212, 1229860, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 02507   484   NtQueryInformationFile  (212, 1229840, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 02508   484   NtQueryInformationFile  (212, 1229880, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02509   484   NtReleaseMutant  (220, ... 0x0, ) == 0x0
 02510   484   NtUnmapViewOfSection  (-1, 0xa90000, ... ) == 0x0
 02511   484   NtClose  (232, ... ) == 0x0
 02512   484   NtClose  (228, ... ) == 0x0
 02513   484   NtClose  (212, ... ) == 0x0
 02514   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\cmd.exe"}, 1231276, ... ) }, 1231276, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02515   484   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "cmd.exe"}, 1231276, ... ) }, 1231276, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02516   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231276, ... ) }, 1231276, ... ) == 0x0
 02517   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 1231992, ... ) }, 1231992, ... ) == 0x0
 02518   484   NtOpenFile  (0x1000a1, {24, 0, 0x40, 0, 0,  (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe"}, 5, 96, ... 212, {status=0x0, info=1}, ) }, 5, 96, ... 212, {status=0x0, info=1}, ) == 0x0
 02519   484   NtCreateSection  (0xf001f, 0x0, 0x0, 16, 16777216, 212, ... 228, ) == 0x0
 02520   484   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02521   484   NtQuerySection  (228, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02522   484   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02523   484   NtCreateProcessEx  (1233928, 2035711, 0, -1, 0, 228, 0, 0, 0, ... ) == 0x0
 02524   484   NtSetInformationProcess  (232, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02525   484   NtQueryInformationProcess  (232, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=468,}, 0x0, ) == 0x0
 02526   484   NtReadVirtualMemory  (232, 0x7ffdf008, 4, ...  (232, 0x7ffdf008, 4, ... "\0\0\320J", 0x0, ) , 0x0, ) == 0x0
 02527   484   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cmd.exe.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02528   484   NtAllocateVirtualMemory  (-1, 1507328, 0, 8192, 4096, 4, ... 1507328, 8192, ) == 0x0
 02529   484   NtReadVirtualMemory  (232, 0x4ad00000, 4096, ...  (232, 0x4ad00000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\13+S\231OJ=\312OJ=\312OJ=\312\265i}\312IJ=\312OJ<\312\235J=\312\265i$\312HJ=\312\224h \312MJ=\312\330ix\312NJ=\312\225i!\312\177J=\312\265i\0\312NJ=\312RichOJ=\312\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0&\343};\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\0\0\310\1\0\0\364\3\0\0\0\0\0\226\245\0\0\0\20\0\0\0\300\1\0\0\0\320J\0\20\0\0\0\2\0\0\5\0\1\0\5\0\1\0\4\0\0\0\0\0\0\0\0\340\5\0\0\4\0\0\374\313\5\0\3\0\0\200\0\0\20\0\0\0\20\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\300\310\1\0P\0\0\0\0\260\3\0\230(\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\327\1\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\2\0\0X\0\0\0\0\20\0\0\344\2\0\0d\305\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\270\307\1\0\0\20\0\0\0\310\1\0\0\4\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0
 02530   484   NtReadVirtualMemory  (232, 0x4ad3b000, 256, ...  (232, 0x4ad3b000, 256, ... "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\3\0\0\00\0\0\200\13\0\0\0\200\0\0\200\16\0\0\0\230\0\0\200\20\0\0\0\260\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\0\0\310\0\0\200\2\0\0\0\340\0\0\200\3\0\0\0\370\0\0\200\4\0\0\0\20\1\0\200\5\0\0\0(\1\0\200\6\0\0\0@\1\0\200\7\0\0\0X\1\0\200\10\0\0\0p\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\210\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\200\2\0\200\240\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\1\0\0\0\270\1\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\320\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\4\0\0\340\1\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0
 02531   484   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02532   484   NtQueryInformationProcess  (232, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdf000,AffinityMask=0x1,BasePriority=8,Pid=964,ParentPid=468,}, 0x0, ) == 0x0
 02533   484   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\U:\startupscripts"}, 1231992, ... ) }, 1231992, ... ) == 0x0
 02534   484   NtAllocateVirtualMemory  (-1, 0, 0, 1676, 4096, 4, ... 11075584, 4096, ) == 0x0
 02535   484   NtAllocateVirtualMemory  (232, 0, 0, 1910, 4096, 4, ... 65536, 4096, ) == 0x0
 02536   484   NtWriteVirtualMemory  (232, 0x10000,  (232, 0x10000, "=\0:\0:\0=\0:\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0p\0o\0l\0y\0u\0n\0p\0a\0c\0k\0\0\0=\0E\0x\0i\0t\0C\0o\0d\0e\0=\00\00\00\00\00\00\00\02\0\0\0=\0U\0:\0=\0U\0:\0\\0s\0t\0a\0r\0t\0u\0p\0s\0c\0r\0i\0p\0t\0s\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0C\0L\0I\0E\0N\0T\0N\0A\0M\0E\0=\0C\0o\0n\0s\0o\0l\0e\0\0\0C\0o\0m\0m\0o\0n\0P\0r\0o\0g\0r\0a\0m\0F\0i\0l\0e\0s\0=\0C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0C\0O\0M\0", 1910, ... 0x0, ) , 1910, ... 0x0, ) == 0x0
 02537   484   NtAllocateVirtualMemory  (232, 0, 0, 1676, 4096, 4, ... 131072, 4096, ) == 0x0
 02538   484   NtWriteVirtualMemory  (232, 0x20000,  (232, 0x20000, "\0\20\0\0\214\6\0\0\0\0\0\0\0\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"\0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) \0\10\2\220\2\0\0\0\0\0\0\374\0\376\0\230\4\0\06\08\0\230\5\0\0^\0`\0\320\5\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\06\08\00\6\0\0\36\0 \0h\6\0\0\0\0\2\0\210\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1676, ... 0x0, ) == 0x0
 02539   484   NtWriteVirtualMemory  (232, 0x7ffdf010,  (232, 0x7ffdf010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02540   484   NtWriteVirtualMemory  (232, 0x7ffdf1e8,  (232, 0x7ffdf1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0
 02541   484   NtFreeVirtualMemory  (-1, (0xa90000), 0, 32768, ... (0xa90000), 4096, ) == 0x0
 02542   484   NtAllocateVirtualMemory  (232, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0
 02543   484   NtAllocateVirtualMemory  (232, 196608, 0, 1048576, 4096, 4, ... 196608, 1048576, ) == 0x0
 02544   484   NtCreateThread  (0x1f03ff, 0x0, 232, 1232192, 1232912, 1, ... 236, {964, 992}, ) == 0x0
 02545   484   NtRequestWaitReplyPort  (24, {168, 196, new_msg, 0, 0, 1234024, 0, 0}  (24, {168, 196, new_msg, 0, 0, 1234024, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\350\0\0\0\354\0\0\0\304\3\0\0\340\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\364\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 468, 484, 1586, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\350\0\0\0\354\0\0\0\304\3\0\0\340\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\364\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {168, 196, reply, 0, 468, 484, 1586, 0}  (24, {168, 196, new_msg, 0, 0, 1234024, 0, 0} "\0\0\0\0\0\0\1\0\24\0\0\0\1\0\0\0\350\0\0\0\354\0\0\0\304\3\0\0\340\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\364\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" ... {168, 196, reply, 0, 468, 484, 1586, 0} "\0\0\0\0\0\0\1\0\0\0\0\0\1\0\0\0\350\0\0\0\354\0\0\0\304\3\0\0\340\3\0\0\0\0\0\0\0\0\0\0\20\4\0\4\0\0\0\0\0\0\0\0\364\326\22\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02546   484   NtResumeThread  (236, ... 1, ) == 0x0
 02547   484   NtClose  (212, ... ) == 0x0
 02548   484   NtClose  (228, ... ) == 0x0
 02549   484   NtClose  (218, ... ) == 0x0
 02550   484   NtClose  (206, ... ) == 0x0
 02551   484   NtClose  (210, ... ) == 0x0
 02552   484   NtClose  (232, ... ) == 0x0
 02553   484   NtClose  (236, ... ) == 0x0
 02554   484   NtUserDestroyWindow  (131250, ...
 02555   484   NtUserRemoveProp  (131250, 43288, ... ) == 0xffffffff
 02556   484   NtUserRemoveProp  (131250, 43282, ... ) == 0x0
 02557   484   NtUserRemoveProp  (131250, 43287, ... ) == 0x0
 02554   484   NtUserDestroyWindow  ... ) == 0x1
 02558   484   NtUserUnregisterClass  (1237372, 1998258176, 1237360, ... ) == 0x1
 02559   484   NtTerminateProcess  (0, 0, ... ) == 0x0
 02560   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 02561   484   NtWaitForMultipleObjects  (2, (172, 164, ), 1, 0, 0x0, ... ) == 0x1
 02562   484   NtClose  (164, ... ) == 0x0
 02563   484   NtSetEvent  (172, ... 0x0, ) == 0x0
 02564   484   NtClose  (172, ... ) == 0x0
 02565   484   NtWaitForMultipleObjects  (2, (180, 184, ), 1, 0, 0x0, ... ) == 0x1
 02566   484   NtClose  (184, ... ) == 0x0
 02567   484   NtSetEvent  (180, ... 0x0, ) == 0x0
 02568   484   NtClose  (180, ... ) == 0x0
 02569   484   NtWaitForMultipleObjects  (2, (188, 192, ), 1, 0, 0x0, ... ) == 0x1
 02570   484   NtClose  (192, ... ) == 0x0
 02571   484   NtSetEvent  (188, ... 0x0, ) == 0x0
 02572   484   NtClose  (188, ... ) == 0x0
 02573   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 02574   484   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02575   484   NtClose  (112, ... ) == 0x0
 02576   484   NtGdiDeleteObjectApp  (17826903, ... ) == 0x1
 02577   484   NtUserGetProcessWindowStation  (... ) == 0x28
 02578   484   NtUserBuildNameList  (40, 256, 1392152, 1241836, ... ) == 0x0
 02579   484   NtUserGetProcessWindowStation  (... ) == 0x28
 02580   484   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Default"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x70
 02581   484   NtUserBuildHwndList  (112, 0, 0, 0, 64, ... (0x3004c, 0x100de, 0x100aa, 0x100a8, 0x100a6, 0x20060, 0x100a0, 0x1007e, 0x10074, 0x10068, 0x3004a, 0x10066, 0x3003c, 0x10098, 0x1008c, 0x1007c, 0x10026, 0x300b2, 0x100da, 0x100d2, 0x100be, 0x100bc, 0x100ba, 0x100b8, 0x100b6, 0x100b4, 0x20064, 0x100ce, 0x100c4, 0x100c2, 0x100b0, 0x100ae, 0x100ac, 0x20062, 0x1006c, 0x50050, 0x40054, 0x5004e, 0x10082, 0x10076, 0x1, ), 41, ) == 0x0
 02582   484   NtUserQueryWindow  (196684, 0, ... ) == 0x768
 02583   484   NtUserQueryWindow  (196684, 1, ... ) == 0x778
 02584   484   NtUserQueryWindow  (65758, 0, ... ) == 0x768
 02585   484   NtUserQueryWindow  (65758, 1, ... ) == 0x778
 02586   484   NtUserQueryWindow  (65706, 0, ... ) == 0x7d4
 02587   484   NtUserQueryWindow  (65706, 1, ... ) == 0x7d8
 02588   484   NtUserQueryWindow  (65704, 0, ... ) == 0x7d4
 02589   484   NtUserQueryWindow  (65704, 1, ... ) == 0x7d8
 02590   484   NtUserQueryWindow  (65702, 0, ... ) == 0x7d4
 02591   484   NtUserQueryWindow  (65702, 1, ... ) == 0x7d8
 02592   484   NtUserQueryWindow  (131168, 0, ... ) == 0x7d4
 02593   484   NtUserQueryWindow  (131168, 1, ... ) == 0x7d8
 02594   484   NtUserQueryWindow  (65696, 0, ... ) == 0x768
 02595   484   NtUserQueryWindow  (65696, 1, ... ) == 0x778
 02596   484   NtUserQueryWindow  (65662, 0, ... ) == 0x768
 02597   484   NtUserQueryWindow  (65662, 1, ... ) == 0x778
 02598   484   NtUserBuildHwndList  (0, 65662, 1, 0, 64, ... (0x10080, 0x10086, 0x10088, 0x1008a, 0x1008e, 0x10090, 0x10092, 0x10094, 0x10096, 0x1009a, 0x1009c, 0x1009e, 0x1, ), 13, ) == 0x0
 02599   484   NtUserQueryWindow  (65664, 0, ... ) == 0x768
 02600   484   NtUserQueryWindow  (65664, 1, ... ) == 0x778
 02601   484   NtUserQueryWindow  (65670, 0, ... ) == 0x768
 02602   484   NtUserQueryWindow  (65670, 1, ... ) == 0x778
 02603   484   NtUserQueryWindow  (65672, 0, ... ) == 0x768
 02604   484   NtUserQueryWindow  (65672, 1, ... ) == 0x778
 02605   484   NtUserQueryWindow  (65674, 0, ... ) == 0x768
 02606   484   NtUserQueryWindow  (65674, 1, ... ) == 0x778
 02607   484   NtUserQueryWindow  (65678, 0, ... ) == 0x768
 02608   484   NtUserQueryWindow  (65678, 1, ... ) == 0x778
 02609   484   NtUserQueryWindow  (65680, 0, ... ) == 0x768
 02610   484   NtUserQueryWindow  (65680, 1, ... ) == 0x778
 02611   484   NtUserQueryWindow  (65682, 0, ... ) == 0x768
 02612   484   NtUserQueryWindow  (65682, 1, ... ) == 0x778
 02613   484   NtUserQueryWindow  (65684, 0, ... ) == 0x768
 02614   484   NtUserQueryWindow  (65684, 1, ... ) == 0x778
 02615   484   NtUserQueryWindow  (65686, 0, ... ) == 0x768
 02616   484   NtUserQueryWindow  (65686, 1, ... ) == 0x778
 02617   484   NtUserQueryWindow  (65690, 0, ... ) == 0x768
 02618   484   NtUserQueryWindow  (65690, 1, ... ) == 0x778
 02619   484   NtUserQueryWindow  (65692, 0, ... ) == 0x768
 02620   484   NtUserQueryWindow  (65692, 1, ... ) == 0x778
 02621   484   NtUserQueryWindow  (65694, 0, ... ) == 0x768
 02622   484   NtUserQueryWindow  (65694, 1, ... ) == 0x778
 02623   484   NtUserQueryWindow  (65652, 0, ... ) == 0x768
 02624   484   NtUserQueryWindow  (65652, 1, ... ) == 0x778
 02625   484   NtUserQueryWindow  (65640, 0, ... ) == 0x768
 02626   484   NtUserQueryWindow  (65640, 1, ... ) == 0x778
 02627   484   NtUserQueryWindow  (196682, 0, ... ) == 0x768
 02628   484   NtUserQueryWindow  (196682, 1, ... ) == 0x778
 02629   484   NtUserQueryWindow  (65638, 0, ... ) == 0x768
 02630   484   NtUserQueryWindow  (65638, 1, ... ) == 0x778
 02631   484   NtUserQueryWindow  (196668, 0, ... ) == 0x768
 02632   484   NtUserQueryWindow  (196668, 1, ... ) == 0x778
 02633   484   NtUserBuildHwndList  (0, 196668, 1, 0, 64, ... (0x3003e, 0x30042, 0x30040, 0x30044, 0x30046, 0x30048, 0x1006a, 0x1006e, 0x10072, 0x1, ), 10, ) == 0x0
 02634   484   NtUserQueryWindow  (196670, 0, ... ) == 0x768
 02635   484   NtUserQueryWindow  (196670, 1, ... ) == 0x778
 02636   484   NtUserQueryWindow  (196674, 0, ... ) == 0x768
 02637   484   NtUserQueryWindow  (196674, 1, ... ) == 0x778
 02638   484   NtUserQueryWindow  (196672, 0, ... ) == 0x768
 02639   484   NtUserQueryWindow  (196672, 1, ... ) == 0x778
 02640   484   NtUserQueryWindow  (196676, 0, ... ) == 0x768
 02641   484   NtUserQueryWindow  (196676, 1, ... ) == 0x778
 02642   484   NtUserQueryWindow  (196678, 0, ... ) == 0x768
 02643   484   NtUserQueryWindow  (196678, 1, ... ) == 0x778
 02644   484   NtUserQueryWindow  (196680, 0, ... ) == 0x768
 02645   484   NtUserQueryWindow  (196680, 1, ... ) == 0x778
 02646   484   NtUserQueryWindow  (65642, 0, ... ) == 0x768
 02647   484   NtUserQueryWindow  (65642, 1, ... ) == 0x778
 02648   484   NtUserQueryWindow  (65646, 0, ... ) == 0x768
 02649   484   NtUserQueryWindow  (65646, 1, ... ) == 0x778
 02650   484   NtUserQueryWindow  (65650, 0, ... ) == 0x768
 02651   484   NtUserQueryWindow  (65650, 1, ... ) == 0x778
 02652   484   NtUserQueryWindow  (65688, 0, ... ) == 0x768
 02653   484   NtUserQueryWindow  (65688, 1, ... ) == 0x778
 02654   484   NtUserQueryWindow  (65676, 0, ... ) == 0x768
 02655   484   NtUserQueryWindow  (65676, 1, ... ) == 0x778
 02656   484   NtUserQueryWindow  (65660, 0, ... ) == 0x768
 02657   484   NtUserQueryWindow  (65660, 1, ... ) == 0x76c
 02658   484   NtUserQueryWindow  (65574, 0, ... ) == 0x268
 02659   484   NtUserQueryWindow  (65574, 1, ... ) == 0x2c0
 02660   484   NtUserQueryWindow  (196786, 0, ... ) == 0x3c4
 02661   484   NtUserQueryWindow  (196786, 1, ... ) == 0x3e0
 02662   484   NtUserQueryWindow  (65754, 0, ... ) == 0x13c
 02663   484   NtUserQueryWindow  (65754, 1, ... ) == 0x170
 02664   484   NtUserQueryWindow  (65746, 0, ... ) == 0x13c
 02665   484   NtUserQueryWindow  (65746, 1, ... ) == 0x170
 02666   484   NtUserQueryWindow  (65726, 0, ... ) == 0x7e4
 02667   484   NtUserQueryWindow  (65726, 1, ... ) == 0x7e8
 02668   484   NtUserQueryWindow  (65724, 0, ... ) == 0x7e4
 02669   484   NtUserQueryWindow  (65724, 1, ... ) == 0x7e8
 02670   484   NtUserQueryWindow  (65722, 0, ... ) == 0x7e4
 02671   484   NtUserQueryWindow  (65722, 1, ... ) == 0x7e8
 02672   484   NtUserQueryWindow  (65720, 0, ... ) == 0x7e4
 02673   484   NtUserQueryWindow  (65720, 1, ... ) == 0x7e8
 02674   484   NtUserQueryWindow  (65718, 0, ... ) == 0x7e4
 02675   484   NtUserQueryWindow  (65718, 1, ... ) == 0x7e8
 02676   484   NtUserQueryWindow  (65716, 0, ... ) == 0x7e4
 02677   484   NtUserQueryWindow  (65716, 1, ... ) == 0x7e8
 02678   484   NtUserQueryWindow  (131172, 0, ... ) == 0x7f0
 02679   484   NtUserQueryWindow  (131172, 1, ... ) == 0x7f4
 02680   484   NtUserQueryWindow  (65742, 0, ... ) == 0x768
 02681   484   NtUserQueryWindow  (65742, 1, ... ) == 0x1a4
 02682   484   NtUserQueryWindow  (65732, 0, ... ) == 0x768
 02683   484   NtUserQueryWindow  (65732, 1, ... ) == 0x1a4
 02684   484   NtUserBuildHwndList  (0, 65732, 1, 0, 64, ... (0x100c6, 0x100c8, 0x100ca, 0x100cc, 0x1, ), 5, ) == 0x0
 02685   484   NtUserQueryWindow  (65734, 0, ... ) == 0x768
 02686   484   NtUserQueryWindow  (65734, 1, ... ) == 0x1a4
 02687   484   NtUserQueryWindow  (65736, 0, ... ) == 0x768
 02688   484   NtUserQueryWindow  (65736, 1, ... ) == 0x1a4
 02689   484   NtUserQueryWindow  (65738, 0, ... ) == 0x768
 02690   484   NtUserQueryWindow  (65738, 1, ... ) == 0x1a4
 02691   484   NtUserQueryWindow  (65740, 0, ... ) == 0x768
 02692   484   NtUserQueryWindow  (65740, 1, ... ) == 0x1a4
 02693   484   NtUserQueryWindow  (65730, 0, ... ) == 0x768
 02694   484   NtUserQueryWindow  (65730, 1, ... ) == 0x778
 02695   484   NtUserQueryWindow  (65712, 0, ... ) == 0x7e4
 02696   484   NtUserQueryWindow  (65712, 1, ... ) == 0x7e8
 02697   484   NtUserQueryWindow  (65710, 0, ... ) == 0x7d4
 02698   484   NtUserQueryWindow  (65710, 1, ... ) == 0x7d8
 02699   484   NtUserQueryWindow  (65708, 0, ... ) == 0x7e4
 02700   484   NtUserQueryWindow  (65708, 1, ... ) == 0x7e8
 02701   484   NtUserQueryWindow  (131170, 0, ... ) == 0x7cc
 02702   484   NtUserQueryWindow  (131170, 1, ... ) == 0x7d0
 02703   484   NtUserQueryWindow  (65644, 0, ... ) == 0x768
 02704   484   NtUserQueryWindow  (65644, 1, ... ) == 0x798
 02705   484   NtUserQueryWindow  (327760, 0, ... ) == 0x768
 02706   484   NtUserQueryWindow  (327760, 1, ... ) == 0x76c
 02707   484   NtUserQueryWindow  (262228, 0, ... ) == 0x768
 02708   484   NtUserQueryWindow  (262228, 1, ... ) == 0x76c
 02709   484   NtUserQueryWindow  (327758, 0, ... ) == 0x768
 02710   484   NtUserQueryWindow  (327758, 1, ... ) == 0x76c
 02711   484   NtUserQueryWindow  (65666, 0, ... ) == 0x768
 02712   484   NtUserQueryWindow  (65666, 1, ... ) == 0x76c
 02713   484   NtUserQueryWindow  (65654, 0, ... ) == 0x768
 02714   484   NtUserQueryWindow  (65654, 1, ... ) == 0x76c
 02715   484   NtUserBuildHwndList  (0, 65654, 1, 0, 64, ... (0x10078, 0x1007a, 0x1, ), 3, ) == 0x0
 02716   484   NtUserQueryWindow  (65656, 0, ... ) == 0x768
 02717   484   NtUserQueryWindow  (65656, 1, ... ) == 0x76c
 02718   484   NtUserQueryWindow  (65658, 0, ... ) == 0x768
 02719   484   NtUserQueryWindow  (65658, 1, ... ) == 0x76c
 02720   484   NtUserCloseDesktop  (112, ...
 02721   484   NtClose  (112, ... ) == 0x0
 02720   484   NtUserCloseDesktop  ... ) == 0x1
 02722   484   NtUserGetProcessWindowStation  (... ) == 0x28
 02723   484   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Disconnect"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02724   484   NtUserGetProcessWindowStation  (... ) == 0x28
 02725   484   NtUserOpenDesktop  ({24, 40, 0x40, 0, 0,  ({24, 40, 0x40, 0, 0, "Winlogon"}, 1, 0x41, ... ) }, 1, 0x41, ... ) == 0x0
 02726   484   NtGdiDeleteObjectApp  (134874196, ... ) == 0x1
 02727   484   NtGdiDeleteObjectApp  (101319765, ... ) == 0x1
 02728   484   NtClose  (104, ... ) == 0x0
 02729   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 02730   484   NtClose  (96, ... ) == 0x0
 02731   484   NtUnmapViewOfSection  (-1, 0x8f0000, ... ) == 0x0
 02732   484   NtClose  (100, ... ) == 0x0
 02733   484   NtClose  (80, ... ) == 0x0
 02734   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 02735   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc03b
 02736   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02737   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc03d
 02738   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02739   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc03f
 02740   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02741   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc041
 02742   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02743   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc043
 02744   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02745   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc045
 02746   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02747   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc047
 02748   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02749   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc049
 02750   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02751   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc04b
 02752   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02753   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc04d
 02754   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02755   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc04f
 02756   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02757   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc051
 02758   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02759   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc053
 02760   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02761   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc057
 02762   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02763   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc059
 02764   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02765   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc05b
 02766   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02767   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc05d
 02768   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02769   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc05f
 02770   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02771   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc017
 02772   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02773   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc019
 02774   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02775   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc018
 02776   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02777   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc01a
 02778   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02779   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc01c
 02780   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02781   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc01e
 02782   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02783   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc01b
 02784   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02785   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc068
 02786   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02787   484   NtUserGetClassInfo  (1905590272, 1241884, 1241836, 1241912, 0, ... ) == 0xc06a
 02788   484   NtUserUnregisterClass  (1241888, 1905590272, 1241876, ... ) == 0x1
 02789   484   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 02790   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x4,}, 4, ... ) == 0x0
 02791   484   NtClose  (176, ... ) == 0x0
 02792   484   NtClose  (152, ... ) == 0x0
 02793   484   NtClose  (168, ... ) == 0x0
 02794   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 02795   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 02796   484   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 02797   484   NtClose  (156, ... ) == 0x0
 02798   484   NtClose  (160, ... ) == 0x0
 02799   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc03b
 02800   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02801   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc03d
 02802   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02803   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc03f
 02804   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02805   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc041
 02806   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02807   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc043
 02808   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02809   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc045
 02810   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02811   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc047
 02812   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02813   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc049
 02814   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02815   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc04b
 02816   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02817   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc04d
 02818   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02819   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc04f
 02820   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02821   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc051
 02822   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02823   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc053
 02824   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02825   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc057
 02826   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02827   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc059
 02828   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02829   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc05b
 02830   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02831   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc05d
 02832   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02833   484   NtUserGetClassInfo  (1999896576, 1241884, 1241836, 1241912, 0, ... ) == 0xc05f
 02834   484   NtUserUnregisterClass  (1241888, 1999896576, 1241876, ... ) == 0x1
 02835   484   NtClose  (108, ... ) == 0x0
 02836   484   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 02837   484   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 0, 0, 0, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 468, 484, 1611, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 468, 484, 1611, 0}  (24, {20, 48, new_msg, 0, 0, 0, 0, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 468, 484, 1611, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02838   484   NtTerminateProcess  (-1, 0, ...
 02839   484   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtCreateIoCompletion(>)	2	NtCreateSemaphore(>)	6	NtOpenThreadToken(>)	20
NtAddAtom(>)	1	NtEnumerateKey(>)	2	NtOpenSymbolicLinkObject(>)	6	NtUnmapViewOfSection(>)	21
NtCallbackReturn(>)	1	NtGdiCreateSolidBrush(>)	2	NtQueryDefaultLocale(>)	6	NtCreateKey(>)	22
NtConnectPort(>)	1	NtGdiHfontCreate(>)	2	NtQuerySymbolicLinkObject(>)	6	NtCreateSection(>)	27
NtCreateProcessEx(>)	1	NtOpenDirectoryObject(>)	2	NtUserGetProcessWindowStation(>)	6	NtQueryInformationFile(>)	27
NtCreateThread(>)	1	NtQueryInstallUILanguage(>)	2	NtUserCallNoParam(>)	7	NtReadVirtualMemory(>)	30
NtDeleteValueKey(>)	1	NtRaiseException(>)	2	NtOpenProcess(>)	8	NtOpenSection(>)	31
NtGdiCreateBitmap(>)	1	NtTerminateProcess(>)	2	NtQueryDefaultUILanguage(>)	8	NtReleaseSemaphore(>)	31
NtGdiCreatePatternBrushInternal(>)	1	NtUserCloseDesktop(>)	2	NtSetInformationFile(>)	8	NtSetInformationProcess(>)	31
NtGdiInit(>)	1	NtUserCreateWindowEx(>)	2	NtQueryVolumeInformationFile(>)	9	NtWaitForSingleObject(>)	35
NtGdiQueryFontAssocInfo(>)	1	NtUserDestroyWindow(>)	2	NtUserBuildHwndList(>)	9	NtProtectVirtualMemory(>)	40
NtGdiSelectBitmap(>)	1	NtUserMessageCall(>)	2	NtContinue(>)	10	NtUserUnregisterClass(>)	46
NtNotifyChangeKey(>)	1	NtCreateMutant(>)	3	NtFsControlFile(>)	10	NtMapViewOfSection(>)	48
NtOpenKeyedEvent(>)	1	NtEnumerateValueKey(>)	3	NtUserGetWindowDC(>)	10	NtUserFindExistingCursorIcon(>)	48
NtQueryInformationJobObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtFlushInstructionCache(>)	11	NtQueryInformationProcess(>)	51
NtQueryObject(>)	1	NtGdiDeleteObjectApp(>)	3	NtQuerySection(>)	11	NtDeviceIoControlFile(>)	55
NtQueryPerformanceCounter(>)	1	NtOpenEvent(>)	3	NtRequestWaitReplyPort(>)	11	NtOpenProcessTokenEx(>)	60
NtQuerySystemTime(>)	1	NtOpenMutant(>)	3	NtUserCallOneParam(>)	11	NtOpenThreadTokenEx(>)	60
NtRegisterThreadTerminatePort(>)	1	NtSetEvent(>)	3	NtUserSystemParametersInfo(>)	11	NtUserRegisterClassExWOW(>)	64
NtResumeThread(>)	1	NtUserGetObjectInformation(>)	3	NtLockFile(>)	13	NtQueryAttributesFile(>)	68
NtSecureConnectPort(>)	1	NtUserOpenDesktop(>)	3	NtUnlockFile(>)	13	NtQueryInformationToken(>)	72
NtSetSecurityObject(>)	1	NtUserRemoveProp(>)	3	NtCreateEvent(>)	14	NtQueryKey(>)	73
NtTestAlert(>)	1	NtWaitForMultipleObjects(>)	3	NtOpenProcessToken(>)	14	NtUserGetClassInfo(>)	82
NtUserBuildNameList(>)	1	NtQueryVirtualMemory(>)	4	NtSetValueKey(>)	15	NtQuerySystemInformation(>)	88
NtUserGetAtomName(>)	1	NtReleaseMutant(>)	4	NtQueryDebugFilterState(>)	16	NtAllocateVirtualMemory(>)	89
NtUserGetDC(>)	1	NtSetInformationObject(>)	4	NtQueryDirectoryFile(>)	17	NtOpenFile(>)	90
NtUserGetForegroundWindow(>)	1	NtUserFindWindowEx(>)	4	NtReadFile(>)	17	NtQueryValueKey(>)	125
NtUserGetGUIThreadInfo(>)	1	NtWriteVirtualMemory(>)	4	NtSetInformationThread(>)	17	NtOpenKey(>)	288
NtUserGetThreadDesktop(>)	1	NtDuplicateObject(>)	5	NtCreateFile(>)	18	NtUserQueryWindow(>)	290
NtUserSetProp(>)	1	NtGdiGetStockObject(>)	5	NtFreeVirtualMemory(>)	18	NtClose(>)	396
NtAdjustPrivilegesToken(>)	2	NtWriteFile(>)	5	NtUserRegisterWindowMessage(>)	19