Summary:


NtAccessCheck(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtFlushInstructionCache(>)  10 
NtQueryInformationFile(>)  44 

NtAddAtom(>)  1 
NtGdiHfontCreate(>)  2 
NtUserGetWindowDC(>)  10 
NtFsControlFile(>)  45 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtClearEvent(>)  11 
NtOpenSection(>)  45 

NtCreateThread(>)  1 
NtQueryInstallUILanguage(>)  2 
NtQueryVolumeInformationFile(>)  11 
NtOpenThreadToken(>)  45 

NtGdiCreateBitmap(>)  1 
NtRegisterThreadTerminatePort(>)  2 
NtUserCallOneParam(>)  11 
NtQueryInformationToken(>)  48 

NtGdiCreatePatternBrushInternal(>)  1 
NtTestAlert(>)  2 
NtUserSystemParametersInfo(>)  11 
NtUserFindExistingCursorIcon(>)  48 

NtGdiInit(>)  1 
NtUserCreateWindowEx(>)  2 
NtCreateSemaphore(>)  12 
NtSetInformationFile(>)  51 

NtGdiQueryFontAssocInfo(>)  1 
NtUserGetObjectInformation(>)  2 
NtEnumerateKey(>)  12 
NtSetInformationProcess(>)  51 

NtGdiSelectBitmap(>)  1 
NtUserMessageCall(>)  2 
NtOpenProcessToken(>)  12 
NtQueryInformationProcess(>)  54 

NtOpenKeyedEvent(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtRequestWaitReplyPort(>)  54 

NtOpenProcess(>)  1 
NtQuerySystemTime(>)  3 
NtSetEvent(>)  12 
NtAllocateVirtualMemory(>)  55 

NtOpenSymbolicLinkObject(>)  1 
NtUserGetMessage(>)  3 
NtOpenProcessTokenEx(>)  16 
NtReleaseMutant(>)  57 

NtQueryEvent(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtOpenThreadTokenEx(>)  16 
NtUserRegisterClassExWOW(>)  64 

NtQueryInformationThread(>)  1 
NtDuplicateToken(>)  5 
NtWriteFile(>)  16 
NtMapViewOfSection(>)  65 

NtQueryObject(>)  1 
NtGdiGetStockObject(>)  5 
NtConnectPort(>)  18 
NtCreateEvent(>)  66 

NtQuerySymbolicLinkObject(>)  1 
NtNotifyChangeKey(>)  5 
NtQuerySection(>)  19 
NtCreateKey(>)  79 

NtQueryTimerResolution(>)  1 
NtQuerySecurityObject(>)  5 
NtReadFile(>)  19 
NtQueryDefaultLocale(>)  99 

NtResumeThread(>)  1 
NtSetInformationObject(>)  5 
NtUnmapViewOfSection(>)  21 
NtOpenFile(>)  108 

NtSecureConnectPort(>)  1 
NtCreateMutant(>)  6 
NtProtectVirtualMemory(>)  25 
NtQueryAttributesFile(>)  134 

NtUserGetDC(>)  1 
NtDuplicateObject(>)  6 
NtQuerySystemInformation(>)  25 
NtQueryVirtualMemory(>)  147 

NtUserGetGUIThreadInfo(>)  1 
NtFreeVirtualMemory(>)  6 
NtQueryDirectoryFile(>)  28 
NtEnumerateValueKey(>)  231 

NtUserGetProcessWindowStation(>)  1 
NtOpenEvent(>)  7 
NtQueryDebugFilterState(>)  29 
NtOpenKey(>)  326 

NtUserGetThreadDesktop(>)  1 
NtReleaseSemaphore(>)  7 
NtSetInformationThread(>)  29 
NtQueryValueKey(>)  525 

NtUserSetProp(>)  1 
NtUserCallNoParam(>)  7 
NtCreateSection(>)  34 
NtWaitForSingleObject(>)  546 

NtUserSetTimer(>)  1 
NtQueryKey(>)  8 
NtUserGetClassInfo(>)  37 
NtClose(>)  567 

NtContinue(>)  2 
NtDeleteValueKey(>)  9 
NtSetValueKey(>)  41 
NtDeviceIoControlFile(>)  757 

NtCreateIoCompletion(>)  2 
NtOpenMutant(>)  9 
NtCreateFile(>)  42 

Trace:
 00001   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   460   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   460   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   460   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   460   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   460   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   460   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   460   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   460   NtClose  (12, ... ) == 0x0
 00014   460   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   460   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   460   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   460   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   460   NtClose  (16, ... ) == 0x0
 00021   460   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   460   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   460   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   460   NtClose  (16, ... ) == 0x0
 00026   460   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   460   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   460   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   460   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1541, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 456, 460, 1541, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 456, 460, 1541, 0} "`\323\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   460   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   460   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   460   NtClose  (16, ... ) == 0x0
 00036   460   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   460   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   460   NtClose  (28, ... ) == 0x0
 00041   460   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   460   NtClose  (28, ... ) == 0x0
 00045   460   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   460   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   460   NtClose  (28, ... ) == 0x0
 00049   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   460   NtClose  (28, ... ) == 0x0
 00052   460   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1552, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 456, 460, 1552, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 456, 460, 1552, 0} "\230\243\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00057   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00058   460   NtClose  (28, ... ) == 0x0
 00059   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00061   460   NtClose  (28, ... ) == 0x0
 00062   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   460   NtClose  (28, ... ) == 0x0
 00065   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00067   460   NtClose  (28, ... ) == 0x0
 00068   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00070   460   NtClose  (28, ... ) == 0x0
 00071   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00072   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00073   460   NtClose  (28, ... ) == 0x0
 00074   460   NtProtectVirtualMemory  (-1, (0x407000), 204, 4, ... (0x407000), 4096, 2, ) == 0x0
 00075   460   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00076   460   NtFlushInstructionCache  (-1, 4222976, 204, ... ) == 0x0
 00077   460   NtProtectVirtualMemory  (-1, (0x407000), 204, 4, ... (0x407000), 4096, 2, ) == 0x0
 00078   460   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00079   460   NtFlushInstructionCache  (-1, 4222976, 204, ... ) == 0x0
 00080   460   NtProtectVirtualMemory  (-1, (0x407000), 204, 4, ... (0x407000), 4096, 2, ) == 0x0
 00081   460   NtProtectVirtualMemory  (-1, (0x407000), 4096, 2, ... (0x407000), 4096, 4, ) == 0x0
 00082   460   NtFlushInstructionCache  (-1, 4222976, 204, ... ) == 0x0
 00083   460   NtOpenProcessToken  (-1, 0x8, ... 28, ) == 0x0
 00084   460   NtQueryInformationToken  (28, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00085   460   NtClose  (28, ... ) == 0x0
 00086   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00087   460   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00088   460   NtClose  (28, ... ) == 0x0
 00089   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00090   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00091   460   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00092   460   NtAllocateVirtualMemory  (-1, 3280896, 0, 8192, 4096, 4, ... 3280896, 8192, ) == 0x0
 00093   460   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00094   460   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 28, ) }, ... 28, ) == 0x0
 00095   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x330000), 0x0, 12288, ) == 0x0
 00096   460   NtClose  (28, ... ) == 0x0
 00097   460   NtAllocateVirtualMemory  (-1, 3289088, 0, 4096, 4096, 4, ... 3289088, 4096, ) == 0x0
 00098   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00099   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1556, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 456, 460, 1556, 0}  (24, {28, 56, new_msg, 0, 1243120, 256, 1242864, 256} "\210\6\32\1\0\0\0\0\1\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 456, 460, 1556, 0} "XQ\26\0\0\0\0\0\0\0\0\0\360\367\22\0\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00100   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00101   460   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x4e0000), 0x0, 1060864, ) == 0x0
 00102   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 32, ) == 0x0
 00103   460   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00104   460   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482036, ) == 0x0
 00105   460   NtQueryInformationToken  (-2147482036, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00106   460   NtQueryInformationToken  (-2147482036, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00107   460   NtClose  (-2147482036, ... ) == 0x0
 00108   460   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 3407872, 4096, ) == 0x0
 00109   460   NtFreeVirtualMemory  (-1, (0x340000), 4096, 32768, ... (0x340000), 4096, ) == 0x0
 00110   460   NtDuplicateObject  (-1, 36, -1, 0x0, 0, 2, ... 44, ) == 0x0
 00111   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00112   460   NtQueryValueKey  (-2147482036,  (-2147482036, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00113   460   NtClose  (-2147482036, ... ) == 0x0
 00114   460   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482036, ) }, ... -2147482036, ) == 0x0
 00115   460   NtQueryValueKey  (-2147482036,  (-2147482036, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00116   460   NtClose  (-2147482036, ... ) == 0x0
 00117   460   NtQueryDefaultLocale  (0, -131954164, ... ) == 0x0
 00118   460   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00119   460   NtUserCallNoParam  (24, ... ) == 0x0
 00120   460   NtGdiCreateCompatibleDC  (0, ...
 00121   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3407872, 4096, ) == 0x0
 00120   460   NtGdiCreateCompatibleDC  ... ) == 0xe010448
 00122   460   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00123   460   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00124   460   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb05044f
 00125   460   NtGdiCreateSolidBrush  (0, 0, ...
 00126   460   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 3473408, 4096, ) == 0x0
 00125   460   NtGdiCreateSolidBrush  ... ) == 0x8100452
 00127   460   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00128   460   NtGdiCreateCompatibleDC  (0, ... ) == 0x6010453
 00129   460   NtGdiSelectBitmap  (100729939, 184878159, ... ) == 0x185000f
 00130   460   NtUserGetThreadDesktop  (460, 0, ... ) == 0x28
 00131   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 48, ) }, ... 48, ) == 0x0
 00132   460   NtQueryValueKey  (48,  (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (48, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00133   460   NtClose  (48, ... ) == 0x0
 00134   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00135   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00136   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00137   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00138   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00139   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00140   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00141   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00142   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00143   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00144   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00145   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00146   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00147   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00148   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00149   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00150   460   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00151   460   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00152   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00153   460   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00154   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00155   460   NtAllocateVirtualMemory  (-1, 6336512, 0, 4096, 4096, 32, ... 6336512, 4096, ) == 0x0
 00154   460   NtUserRegisterClassExWOW  ... ) == 0x810cc023
 00156   460   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00157   460   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc025
 00158   460   NtCallbackReturn  (0, 0, 0, ...
 00159   460   NtGdiInit  (... ) == 0x1
 00160   460   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00161   460   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00162   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 48, ) }, ... 48, ) == 0x0
 00163   460   NtQueryValueKey  (48,  (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00164   460   NtQueryValueKey  (48,  (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (48, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00165   460   NtClose  (48, ... ) == 0x0
 00166   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 48, ) }, ... 48, ) == 0x0
 00167   460   NtQueryValueKey  (48,  (48, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00168   460   NtClose  (48, ... ) == 0x0
 00169   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 48, ) }, ... 48, ) == 0x0
 00170   460   NtSetInformationObject  (48, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00171   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00172   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00173   460   NtTestAlert  (... ) == 0x0
 00174   460   NtContinue  (1244464, 1, ...
 00175   460   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401440,}, 4, ... ) == 0x0
 00176   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1244716,  (0x80100080, {24, 0, 0x40, 0, 1244716, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 96, 0, 0, ... 52, {status=0x0, info=1}, ) == 0x0
 00177   460   NtClose  (52, ... ) == 0x0
 00178   460   NtProtectVirtualMemory  (-1, (0x402000), 19456, 64, ... (0x402000), 20480, 32, ) == 0x0
 00179   460   NtProtectVirtualMemory  (-1, (0x402000), 19456, 32, ... (0x402000), 20480, 64, ) == 0x0
 00180   460   NtProtectVirtualMemory  (-1, (0x408000), 25088, 64, ... (0x408000), 28672, 8, ) == 0x0
 00181   460   NtProtectVirtualMemory  (-1, (0x408000), 25088, 8, ... (0x408000), 28672, 64, ) == 0x0
 00182   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 52, ) }, ... 52, ) == 0x0
 00183   460   NtQueryValueKey  (52,  (52, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184   460   NtClose  (52, ... ) == 0x0
 00185   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wininet.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00186   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00187   460   NtClose  (52, ... ) == 0x0
 00188   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00189   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00190   460   NtClose  (52, ... ) == 0x0
 00191   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00192   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00193   460   NtClose  (52, ... ) == 0x0
 00194   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 52, ) }, ... 52, ) == 0x0
 00195   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00196   460   NtClose  (52, ... ) == 0x0
 00197   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 52, ) }, ... 52, ) == 0x0
 00198   460   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00199   460   NtClose  (52, ... ) == 0x0
 00200   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00201   460   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00202   460   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00203   460   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00204   460   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00205   460   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 52, ) }, ... 52, ) == 0x0
 00206   460   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240840, 0,  (0x1f0003, {24, 52, 0x80, 1240840, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00207   460   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 56, ) }, ... 56, ) == 0x0
 00208   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00209   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00210   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 60, ) }, ... 60, ) == 0x0
 00211   460   NtQueryValueKey  (60,  (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00212   460   NtClose  (60, ... ) == 0x0
 00213   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00214   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00215   460   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00216   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00217   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00218   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 60, ) }, ... 60, ) == 0x0
 00219   460   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00220   460   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00221   460   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00222   460   NtClose  (60, ... ) == 0x0
 00223   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 60, ) }, ... 60, ) == 0x0
 00224   460   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00225   460   NtQueryValueKey  (60,  (60, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00226   460   NtClose  (60, ... ) == 0x0
 00227   460   NtOpenEvent  (0x1f0003, {24, 52, 0x0, 0, 0,  (0x1f0003, {24, 52, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00228   460   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00229   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00230   460   NtOpenKey  (0x9, {24, 48, 0x40, 0, 0,  (0x9, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00231   460   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00232   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00233   460   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00234   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00235   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 60, ) == 0x0
 00236   460   NtQueryInformationToken  (60, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00237   460   NtClose  (60, ... ) == 0x0
 00238   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 60, ) }, ... 60, ) == 0x0
 00239   460   NtSetInformationObject  (60, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00240   460   NtCreateKey  (0xf003f, {24, 60, 0x40, 0, 0,  (0xf003f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00241   460   NtQueryDefaultUILanguage  (1239076, ...
 00242   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00243   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00244   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00245   460   NtClose  (-2147482032, ... ) == 0x0
 00246   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00247   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00248   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00249   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00250   460   NtClose  (-2147482044, ... ) == 0x0
 00251   460   NtClose  (-2147482032, ... ) == 0x0
 00241   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00252   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00253   460   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00254   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00255   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00256   460   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x360000), 0x0, 593920, ) == 0x0
 00257   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00258   460   NtQueryDefaultUILanguage  (2013024600, ...
 00259   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00260   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00261   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00262   460   NtClose  (-2147482032, ... ) == 0x0
 00263   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00264   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00266   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00267   460   NtClose  (-2147482044, ... ) == 0x0
 00268   460   NtClose  (-2147482032, ... ) == 0x0
 00258   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00269   460   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00270   460   NtQueryDefaultLocale  (1, 1237112, ... ) == 0x0
 00271   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\wininet.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00272   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237968, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237968, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\320\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1569, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\320\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1569, 0}  (24, {128, 156, new_msg, 0, 1237968, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\320\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1569, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275=\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\320\352\22\0\0\0\0\0" )  ) == 0x0
 00273   460   NtClose  (68, ... ) == 0x0
 00274   460   NtClose  (72, ... ) == 0x0
 00275   460   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00276   460   NtUnmapViewOfSection  (-1, 0x12ead0, ... ) == STATUS_NOT_MAPPED_VIEW
 00277   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00278   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00280   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00281   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235652, ... ) }, 1235652, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00283   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00284   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00285   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236244, ... ) }, 1236244, ... ) == 0x0
 00286   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00287   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00288   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00289   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00290   460   NtClose  (68, ... ) == 0x0
 00291   460   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 921600, ) == 0x0
 00292   460   NtClose  (76, ... ) == 0x0
 00293   460   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00294   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00295   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00296   460   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00297   460   NtOpenProcessToken  (-1, 0x8, ... 80, ) == 0x0
 00298   460   NtQueryInformationToken  (80, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00299   460   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 84, ) }, ... 84, ) == 0x0
 00301   460   NtQueryValueKey  (84,  (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (84, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00302   460   NtClose  (84, ... ) == 0x0
 00303   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00304   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 84, ) == 0x0
 00305   460   NtQueryInformationToken  (84, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00306   460   NtClose  (84, ... ) == 0x0
 00307   460   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   460   NtClose  (80, ... ) == 0x0
 00309   460   NtClose  (76, ... ) == 0x0
 00310   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00311   460   NtClose  (68, ... ) == 0x0
 00312   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00313   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00314   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00315   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00316   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00317   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00318   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00319   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00320   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00321   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00322   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00323   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00324   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00325   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00326   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00327   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00328   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00329   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00330   460   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00331   460   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00332   460   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00333   460   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1237428, ... ) , 42, 1237428, ... ) == 0x0
 00334   460   NtQueryDefaultUILanguage  (1236144, ...
 00335   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00336   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00337   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00338   460   NtClose  (-2147482032, ... ) == 0x0
 00339   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00340   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00341   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00342   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00343   460   NtClose  (-2147482044, ... ) == 0x0
 00344   460   NtClose  (-2147482032, ... ) == 0x0
 00334   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00345   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234996, ... ) }, 1234996, ... ) == 0x0
 00347   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00348   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00349   460   NtClose  (68, ... ) == 0x0
 00350   460   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x360000), 0x0, 4096, ) == 0x0
 00351   460   NtClose  (76, ... ) == 0x0
 00352   460   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00353   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1234636, ... ) }, 1234636, ... ) == 0x0
 00354   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1235336,  (0x80100080, {24, 0, 0x40, 0, 1235336, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00355   460   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00356   460   NtClose  (76, ... ) == 0x0
 00357   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x360000), {0, 0}, 4096, ) == 0x0
 00358   460   NtClose  (68, ... ) == 0x0
 00359   460   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00360   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00361   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00362   460   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x360000), 0x0, 4096, ) == 0x0
 00363   460   NtQueryInformationFile  (68, 1234956, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00364   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00365   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1235036, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1235036, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1570, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1570, 0}  (24, {128, 156, new_msg, 0, 1235036, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1570, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\\337\22\0\0\0\0\0" )  ) == 0x0
 00366   460   NtClose  (68, ... ) == 0x0
 00367   460   NtClose  (76, ... ) == 0x0
 00368   460   NtUnmapViewOfSection  (-1, 0x360000, ... ) == 0x0
 00369   460   NtUnmapViewOfSection  (-1, 0x12df5c, ... ) == STATUS_NOT_MAPPED_VIEW
 00370   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00371   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00372   460   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00373   460   NtUserGetDC  (0, ... ) == 0x1010053
 00374   460   NtUserCallOneParam  (16842835, 56, ... ) == 0x1
 00375   460   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00376   460   NtUserSystemParametersInfo  (66, 12, 1237448, 0, ... ) == 0x1
 00377   460   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00378   460   NtAccessCheck  (1343968, 76, 0x1, 1236852, 1236796, 56, 1236880, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00379   460   NtClose  (76, ... ) == 0x0
 00380   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00381   460   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00382   460   NtClose  (76, ... ) == 0x0
 00383   460   NtUserSystemParametersInfo  (41, 500, 1236948, 0, ... ) == 0x1
 00384   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00385   460   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00386   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00387   460   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00388   460   NtClose  (68, ... ) == 0x0
 00389   460   NtClose  (76, ... ) == 0x0
 00390   460   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00391   460   NtUserSystemParametersInfo  (4130, 0, 1237472, 0, ... ) == 0x1
 00392   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00393   460   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00394   460   NtClose  (76, ... ) == 0x0
 00395   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00396   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc03b
 00397   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc03d
 00398   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00399   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc03f
 00400   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00401   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc041
 00402   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00403   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc043
 00404   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc045
 00405   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00406   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc047
 00407   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00408   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc049
 00409   460   NtUserGetClassInfo  (1905590272, 1237368, 1237320, 1237396, 0, ... ) == 0xc049
 00410   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00411   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc04b
 00412   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00413   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc04d
 00414   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00415   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc04f
 00416   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc051
 00417   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00418   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc053
 00419   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00420   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc055
 00421   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc057
 00422   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00423   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc059
 00424   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10013
 00425   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc05b
 00426   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00427   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc05d
 00428   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00429   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc05f
 00430   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00431   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc017
 00432   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00433   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc019
 00434   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10013
 00435   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc018
 00436   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00437   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc01a
 00438   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00439   460   NtUserRegisterClassExWOW  (1237204, 1237284, 1237268, 1237300, 0, 384, 0, ... ) == 0x810cc01c
 00440   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00441   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ... ) == 0x810cc01e
 00442   460   NtUserFindExistingCursorIcon  (1236752, 1236768, 1237336, ... ) == 0x10011
 00443   460   NtUserRegisterClassExWOW  (1237264, 1237344, 1237328, 1237360, 0, 384, 0, ... ) == 0x810cc01b
 00444   460   NtUserFindExistingCursorIcon  (1236748, 1236764, 1237332, ... ) == 0x10011
 00445   460   NtUserRegisterClassExWOW  (1237260, 1237340, 1237324, 1237356, 0, 384, 0, ... ) == 0x810cc068
 00446   460   NtUserFindExistingCursorIcon  (1236756, 1236772, 1237340, ... ) == 0x10011
 00447   460   NtUserRegisterClassExWOW  (1237208, 1237288, 1237272, 1237304, 0, 384, 0, ...
 00448   460   NtAllocateVirtualMemory  (-1, 6340608, 0, 4096, 4096, 32, ... 6340608, 4096, ) == 0x0
 00447   460   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00449   460   NtCreateKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00450   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "mpr.dll"}, ... 68, ) }, ... 68, ) == 0x0
 00451   460   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71b20000), 0x0, 69632, ) == 0x0
 00452   460   NtClose  (68, ... ) == 0x0
 00453   460   NtCreateSemaphore  (0x1f0003, 0x0, 1, 1, ... 68, ) == 0x0
 00454   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 80, ) == 0x0
 00455   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "system\CurrentControlSet\control\NetworkProvider\HwOrder"}, ... 84, ) }, ... 84, ) == 0x0
 00456   460   NtNotifyChangeKey  (84, 80, 0, 0, 2011390432, 4, 0, 0, 0, 1, ... ) == 0x103
 00457   460   NtQueryInformationProcess  (-1, 28, 4, ... {process info, class 28, size 4}, 0x0, ) == 0x0
 00458   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 88, ) == 0x0
 00459   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 92, ) == 0x0
 00460   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00461   460   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00462   460   NtClose  (96, ... ) == 0x0
 00463   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SYSTEM\Setup"}, ... 96, ) }, ... 96, ) == 0x0
 00464   460   NtQueryValueKey  (96,  (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (96, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00465   460   NtClose  (96, ... ) == 0x0
 00466   460   NtQueryDefaultUILanguage  (1239064, ...
 00467   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00468   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00469   460   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00470   460   NtClose  (-2147482032, ... ) == 0x0
 00471   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00472   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00473   460   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00474   460   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00475   460   NtClose  (-2147482044, ... ) == 0x0
 00476   460   NtClose  (-2147482032, ... ) == 0x0
 00466   460   NtQueryDefaultUILanguage  ... ) == 0x0
 00477   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00478   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 96, {status=0x0, info=1}, ) }, 1, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00479   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 96, ... 100, ) == 0x0
 00480   460   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x900000), 0x0, 8323072, ) == 0x0
 00481   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482   460   NtQueryDefaultLocale  (1, 1237100, ... ) == 0x0
 00483   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00484   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237956, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237956, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\304\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1571, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\304\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1571, 0}  (24, {128, 156, new_msg, 0, 1237956, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\304\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1571, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\347\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1`\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\304\352\22\0\0\0\0\0" )  ) == 0x0
 00485   460   NtClose  (96, ... ) == 0x0
 00486   460   NtClose  (100, ... ) == 0x0
 00487   460   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00488   460   NtUnmapViewOfSection  (-1, 0x12eac4, ... ) == STATUS_NOT_MAPPED_VIEW
 00489   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00490   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00491   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00492   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00493   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236184, ... ) }, 1236184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00494   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00495   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00496   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00497   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236776, ... ) }, 1236776, ... ) == 0x0
 00498   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 100, {status=0x0, info=1}, ) }, 3, 33, ... 100, {status=0x0, info=1}, ) == 0x0
 00499   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00500   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 96, ) }, ... 96, ) == 0x0
 00501   460   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00502   460   NtClose  (96, ... ) == 0x0
 00503   460   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {456, 0}, ... 96, ) == 0x0
 00504   460   NtQueryInformationProcess  (96, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00505   460   NtClose  (96, ... ) == 0x0
 00506   460   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00507   460   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00508   460   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00509   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Control Panel\Desktop"}, ... 96, ) }, ... 96, ) == 0x0
 00510   460   NtQueryValueKey  (96,  (96, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00511   460   NtClose  (96, ... ) == 0x0
 00512   460   NtUserSystemParametersInfo  (41, 500, 1238640, 0, ... ) == 0x1
 00513   460   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00514   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00515   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00516   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc03b
 00517   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00518   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc03d
 00519   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00520   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00521   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc03f
 00522   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00523   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00524   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc041
 00525   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00526   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00527   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc043
 00528   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00529   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc045
 00530   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00531   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00532   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc047
 00533   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00534   460   NtUserFindExistingCursorIcon  (1238428, 1238444, 1239012, ... ) == 0x10011
 00535   460   NtUserRegisterClassExWOW  (1238880, 1238960, 1238944, 1238976, 0, 384, 0, ... ) == 0x810cc049
 00536   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00537   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00538   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc04b
 00539   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00540   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00541   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc04d
 00542   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00543   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00544   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc04f
 00545   460   NtUserGetClassInfo  (1999896576, 1239052, 1239004, 1239080, 0, ... ) == 0x0
 00546   460   NtUserRegisterClassExWOW  (1238888, 1238968, 1238952, 1238984, 0, 384, 0, ... ) == 0x810cc051
 00547   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00548   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00549   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc053
 00550   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00551   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00552   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc055
 00553   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc057
 00554   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00555   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00556   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc059
 00557   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00558   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10013
 00559   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc05b
 00560   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00561   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00562   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc05d
 00563   460   NtUserGetClassInfo  (1999896576, 1239048, 1239000, 1239076, 0, ... ) == 0x0
 00564   460   NtUserFindExistingCursorIcon  (1238432, 1238448, 1239016, ... ) == 0x10011
 00565   460   NtUserRegisterClassExWOW  (1238884, 1238964, 1238948, 1238980, 0, 384, 0, ... ) == 0x810cc05f
 00566   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc03b
 00567   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc03d
 00568   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc03f
 00569   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc041
 00570   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc043
 00571   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc045
 00572   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc047
 00573   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc049
 00574   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc04b
 00575   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc04d
 00576   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc04f
 00577   460   NtUserGetClassInfo  (1999896576, 1240804, 1240756, 1240832, 0, ... ) == 0xc051
 00578   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc053
 00579   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc055
 00580   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc059
 00581   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc05b
 00582   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc05d
 00583   460   NtUserGetClassInfo  (1999896576, 1240800, 1240752, 1240828, 0, ... ) == 0xc05f
 00584   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ws2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00585   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ws2_32.dll"}, 1240708, ... ) }, 1240708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "ws2_32.dll"}, 1240708, ... ) }, 1240708, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00587   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 1240708, ... ) }, 1240708, ... ) == 0x0
 00588   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ws2_32.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00589   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 104, ) == 0x0
 00590   460   NtQuerySection  (104, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00591   460   NtClose  (96, ... ) == 0x0
 00592   460   NtMapViewOfSection  (104, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00593   460   NtClose  (104, ... ) == 0x0
 00594   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00595   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1239904, ... ) }, 1239904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00596   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1239904, ... ) }, 1239904, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00597   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1239904, ... ) }, 1239904, ... ) == 0x0
 00598   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 104, {status=0x0, info=1}, ) }, 5, 96, ... 104, {status=0x0, info=1}, ) == 0x0
 00599   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 104, ... 96, ) == 0x0
 00600   460   NtQuerySection  (96, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00601   460   NtClose  (104, ... ) == 0x0
 00602   460   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00603   460   NtClose  (96, ... ) == 0x0
 00604   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00605   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00606   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00607   460   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00608   460   NtQueryValueKey  (96,  (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (96, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00609   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 104, ) == 0x0
 00610   460   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "Protocol_Catalog9"}, ... 108, ) }, ... 108, ) == 0x0
 00611   460   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00612   460   NtNotifyChangeKey  (108, 104, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00613   460   NtQueryValueKey  (108,  (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00614   460   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00615   460   NtQueryValueKey  (108,  (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00616   460   NtQueryValueKey  (108,  (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00617   460   NtOpenKey  (0x2000000, {24, 108, 0x40, 0, 0,  (0x2000000, {24, 108, 0x40, 0, 0, "Catalog_Entries"}, ... 112, ) }, ... 112, ) == 0x0
 00618   460   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00619   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000001"}, ... 116, ) }, ... 116, ) == 0x0
 00620   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00621   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00622   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0o\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0p\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0q\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0r\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00623   460   NtClose  (116, ... ) == 0x0
 00624   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000002"}, ... 116, ) }, ... 116, ) == 0x0
 00625   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00626   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00627   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0t\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0u\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0v\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0w\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00628   460   NtClose  (116, ... ) == 0x0
 00629   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000003"}, ... 116, ) }, ... 116, ) == 0x0
 00630   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00631   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00632   460   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00633   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0z\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0{\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0|\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0}\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00634   460   NtClose  (116, ... ) == 0x0
 00635   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000004"}, ... 116, ) }, ... 116, ) == 0x0
 00636   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00637   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00638   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\177\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\200\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\201\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\202\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00639   460   NtClose  (116, ... ) == 0x0
 00640   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000005"}, ... 116, ) }, ... 116, ) == 0x0
 00641   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00642   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00643   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\204\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\205\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\206\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\207\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00644   460   NtClose  (116, ... ) == 0x0
 00645   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000006"}, ... 116, ) }, ... 116, ) == 0x0
 00646   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00647   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00648   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\211\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\212\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\213\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\214\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00649   460   NtClose  (116, ... ) == 0x0
 00650   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000007"}, ... 116, ) }, ... 116, ) == 0x0
 00651   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00652   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00653   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\216\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\217\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\220\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\221\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00654   460   NtClose  (116, ... ) == 0x0
 00655   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000008"}, ... 116, ) }, ... 116, ) == 0x0
 00656   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00657   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00658   460   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00659   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\224\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\225\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\226\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\227\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00660   460   NtClose  (116, ... ) == 0x0
 00661   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000009"}, ... 116, ) }, ... 116, ) == 0x0
 00662   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00663   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00664   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\231\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\232\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\233\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\234\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00665   460   NtClose  (116, ... ) == 0x0
 00666   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000010"}, ... 116, ) }, ... 116, ) == 0x0
 00667   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00668   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00669   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0 (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\236\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0p\0\0\0(\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370\237\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\237\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0t\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\240\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\241\2\0\0\310\1\0\0\314\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0t\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00670   460   NtClose  (116, ... ) == 0x0
 00671   460   NtOpenKey  (0x20019, {24, 112, 0x40, 0, 0,  (0x20019, {24, 112, 0x40, 0, 0, "000000000011"}, ... 116, ) }, ... 116, ) == 0x0
 00672   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00673   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00674   460   NtQueryValueKey  (116,  (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\243\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\243\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\244\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\2\0\0\310\1\0\0\314\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\245\2\0\0\310\1\0\0\314\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\246\2\0\0\310\1\0\0\314\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\246\2\0\0\310\1\0\0\314\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\247\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0D\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\237\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (116, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\243\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0t\0\0\0\243\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\244\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0p\0\0\0\244\2\0\0\310\1\0\0\314\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\245\2\0\0\310\1\0\0\314\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0h\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\245\2\0\0\310\1\0\0\314\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\246\2\0\0\310\1\0\0\314\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\246\2\0\0\310\1\0\0\314\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0p\0\0\0\247\2\0\0\310\1\0\0\314\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0`\0\0\0D\373\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\250\237\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 00675   460   NtClose  (116, ... ) == 0x0
 00676   460   NtClose  (112, ... ) == 0x0
 00677   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 00678   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 112, ) == 0x0
 00679   460   NtOpenKey  (0x2000000, {24, 96, 0x40, 0, 0,  (0x2000000, {24, 96, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 116, ) }, ... 116, ) == 0x0
 00680   460   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00681   460   NtNotifyChangeKey  (116, 112, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00682   460   NtQueryValueKey  (116,  (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00683   460   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00684   460   NtQueryValueKey  (116,  (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 00685   460   NtOpenKey  (0x2000000, {24, 116, 0x40, 0, 0,  (0x2000000, {24, 116, 0x40, 0, 0, "Catalog_Entries"}, ... 120, ) }, ... 120, ) == 0x0
 00686   460   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 00687   460   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000001"}, ... 124, ) }, ... 124, ) == 0x0
 00688   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00689   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00690   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00691   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00692   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00693   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00694   460   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00695   460   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00696   460   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00697   460   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00698   460   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00699   460   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00700   460   NtClose  (124, ... ) == 0x0
 00701   460   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000002"}, ... 124, ) }, ... 124, ) == 0x0
 00702   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00703   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00704   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00705   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00706   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00707   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00708   460   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00709   460   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00710   460   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00711   460   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00712   460   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00713   460   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00714   460   NtClose  (124, ... ) == 0x0
 00715   460   NtOpenKey  (0x20019, {24, 120, 0x40, 0, 0,  (0x20019, {24, 120, 0x40, 0, 0, "000000000003"}, ... 124, ) }, ... 124, ) == 0x0
 00716   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00717   460   NtQueryValueKey  (124,  (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00718   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00719   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00720   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00721   460   NtQueryValueKey  (124,  (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00722   460   NtQueryValueKey  (124,  (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (124, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00723   460   NtQueryValueKey  (124,  (124, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00724   460   NtQueryValueKey  (124,  (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00725   460   NtQueryValueKey  (124,  (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00726   460   NtQueryValueKey  (124,  (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00727   460   NtQueryValueKey  (124,  (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (124, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00728   460   NtClose  (124, ... ) == 0x0
 00729   460   NtClose  (120, ... ) == 0x0
 00730   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 00731   460   NtClose  (96, ... ) == 0x0
 00732   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00733   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00734   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 96, ) }, ... 96, ) == 0x0
 00735   460   NtQueryValueKey  (96,  (96, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00736   460   NtClose  (96, ... ) == 0x0
 00737   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 96, ) == 0x0
 00738   460   NtSetInformationProcess  (-1, PriorityClass, {process info, class 18, size 2}, 3277056, ... ) == 0x0
 00739   460   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "mtx_cv_cv_v2.0"}, 0, ... 120, ) }, 0, ... 120, ) == 0x0
 00740   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cvrss.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\cvrss.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00742   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00743   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00744   460   NtClose  (124, ... ) == 0x0
 00745   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00746   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00747   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0", 72, ... , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0", 72, ... , 72, ...
 00748   460   NtSetInformationFile  (-2147482844, -131954892, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00747   460   NtSetValueKey  ... ) == 0x0
 00749   460   NtClose  (124, ... ) == 0x0
 00750   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acrmon32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00751   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acrmon32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00752   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00753   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00754   460   NtClose  (124, ... ) == 0x0
 00755   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00756   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 84, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 84, ) }, 84, ) == 0x0
 00757   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 148, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 148, ... ) , 148, ... ) == 0x0
 00758   460   NtClose  (124, ... ) == 0x0
 00759   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00760   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00761   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00762   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00763   460   NtClose  (124, ... ) == 0x0
 00764   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00765   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 160, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 160, ) }, 160, ) == 0x0
 00766   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0", 220, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0", 220, ... ) , 220, ... ) == 0x0
 00767   460   NtClose  (124, ... ) == 0x0
 00768   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00769   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\acroup32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00770   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00771   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00772   460   NtClose  (124, ... ) == 0x0
 00773   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00774   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 232, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 232, ) }, 232, ) == 0x0
 00775   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 296, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 296, ... ) , 296, ... ) == 0x0
 00776   460   NtClose  (124, ... ) == 0x0
 00777   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00778   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00779   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00780   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00781   460   NtClose  (124, ... ) == 0x0
 00782   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00783   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 308, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 308, ) }, 308, ) == 0x0
 00784   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 372, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 372, ... ) , 372, ... ) == 0x0
 00785   460   NtClose  (124, ... ) == 0x0
 00786   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wcescom32.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00787   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wcescom32.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00788   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00789   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00790   460   NtClose  (124, ... ) == 0x0
 00791   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00792   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 384, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 384, ) }, 384, ) == 0x0
 00793   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 450, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0", 450, ... ) , 450, ... ) == 0x0
 00794   460   NtClose  (124, ... ) == 0x0
 00795   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Userenv.dll"}, ... 124, ) }, ... 124, ) == 0x0
 00796   460   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 00797   460   NtClose  (124, ... ) == 0x0
 00798   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 124, ) }, ... 124, ) == 0x0
 00799   460   NtQueryValueKey  (124,  (124, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00800   460   NtClose  (124, ... ) == 0x0
 00801   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 124, ) }, ... 124, ) == 0x0
 00802   460   NtQueryValueKey  (124,  (124, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00803   460   NtClose  (124, ... ) == 0x0
 00804   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 124, ) }, ... 124, ) == 0x0
 00805   460   NtQueryValueKey  (124,  (124, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (124, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 00806   460   NtClose  (124, ... ) == 0x0
 00807   460   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1240992, 0,  (0x1f0003, {24, 52, 0x80, 1240992, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 124, ) }, 0, 1, ... 124, ) == STATUS_OBJECT_NAME_EXISTS
 00808   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00809   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00810   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00811   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00812   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00813   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00814   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00815   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00816   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00817   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00818   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00819   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00820   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00821   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00822   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00823   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00824   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00825   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00826   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00827   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00828   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00829   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00830   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00831   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00832   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00833   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00834   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00835   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 128, ) == 0x0
 00836   460   NtQueryInformationToken  (128, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00837   460   NtClose  (128, ... ) == 0x0
 00838   460   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 128, ) }, ... 128, ) == 0x0
 00839   460   NtOpenKey  (0x20019, {24, 128, 0x40, 0, 0,  (0x20019, {24, 128, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 132, ) }, ... 132, ) == 0x0
 00840   460   NtQueryValueKey  (132,  (132, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 00841   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00842   460   NtQueryValueKey  (132,  (132, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 00843   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00844   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00845   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00846   460   NtQueryDefaultLocale  (1, 1238828, ... ) == 0x0
 00847   460   NtClose  (132, ... ) == 0x0
 00848   460   NtClose  (128, ... ) == 0x0
 00849   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00850   460   NtQueryValueKey  (128,  (128, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00851   460   NtClose  (128, ... ) == 0x0
 00852   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00853   460   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00854   460   NtQueryValueKey  (128,  (128, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00855   460   NtClose  (128, ... ) == 0x0
 00856   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 128, ) }, ... 128, ) == 0x0
 00858   460   NtQueryValueKey  (128,  (128, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00859   460   NtClose  (128, ... ) == 0x0
 00860   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00861   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 128, ) }, ... 128, ) == 0x0
 00862   460   NtQueryValueKey  (128,  (128, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (128, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 00863   460   NtClose  (128, ... ) == 0x0
 00864   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 128, ) }, ... 128, ) == 0x0
 00865   460   NtQueryValueKey  (128,  (128, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (128, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 00866   460   NtClose  (128, ... ) == 0x0
 00867   460   NtClose  (124, ... ) == 0x0
 00868   460   NtUnmapViewOfSection  (-1, 0x75a70000, ... ) == 0x0
 00869   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Task Manager.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00870   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Task Manager.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00872   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00873   460   NtClose  (124, ... ) == 0x0
 00874   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00875   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 462, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\0\0"}, 462, ) }, 462, ) == 0x0
 00876   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 622, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 622, ... ) , 622, ... ) == 0x0
 00877   460   NtClose  (124, ... ) == 0x0
 00878   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskman.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskman.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00881   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882   460   NtClose  (124, ... ) == 0x0
 00883   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00884   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0z\2\0\0u\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0"}, 634, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0z\2\0\0u\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0"}, 634, ) }, 634, ) == 0x0
 00885   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 784, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 784, ... ) , 784, ... ) == 0x0
 00886   460   NtClose  (124, ... ) == 0x0
 00887   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mmedia.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00888   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\mmedia.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00889   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00890   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891   460   NtClose  (124, ... ) == 0x0
 00892   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00893   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0\34\3\0\0~\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0"}, 796, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0\34\3\0\0~\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0"}, 796, ) }, 796, ) == 0x0
 00894   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 944, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 944, ... ) , 944, ... ) == 0x0
 00895   460   NtClose  (124, ... ) == 0x0
 00896   460   NtOpenFile  (0x10080, {24, 0, 0x40, 0, 0,  (0x10080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winamp.exe"}, 7, 2113600, ... ) }, 7, 2113600, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897   460   NtOpenFile  (0x110080, {24, 0, 0x40, 0, 0,  (0x110080, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winamp.exe"}, 7, 2113568, ... ) }, 7, 2113568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00898   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00899   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations2", Partial, 1024, ... ) , Partial, 1024, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00900   460   NtClose  (124, ... ) == 0x0
 00901   460   NtCreateKey  (0xc0000000, {24, 0, 0xc0, 0, 0,  (0xc0000000, {24, 0, 0xc0, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Session Manager"}, 0, 0x0, 0, ... 124, 0x0, ) }, 0, 0x0, 0, ... 124, 0x0, ) == 0x0
 00902   460   NtQueryValueKey  (124,  (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0\274\3\0\0\207\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0"}, 956, ) , Partial, 1024, ... TitleIdx=0, Type=7, Data= (124, "PendingFileRenameOperations", Partial, 1024, ... TitleIdx=0, Type=7, Data="\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0\0\0\0\0\274\3\0\0\207\3\0\0\310\1\0\0\314\1\0\0\263\0\0\0\0\0\1\0\0\0\0\0T\2\0\0|\0\0\0\0\0\0\06\08\0\210\13\355w\0\0\0\0P\0e\0n\0d\0i\0n\0g\0F\0i\0l\0e\0R\0e\0n\0a\0m\0e\0O\0p\0e\0r\0a\0t\0i\0o\0n\0s\0v\0\0\0\0\0\7\0\0\0\0\0\0\0\364\1\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0"}, 956, ) }, 956, ) == 0x0
 00903   460   NtSetValueKey  (124,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 1104, ... ) , 0, 7,  (124, "PendingFileRenameOperations", 0, 7, "\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0c\0v\0r\0s\0s\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0m\0o\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0a\0c\0r\0o\0u\0p\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0r\0a\0s\0m\0a\0n\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0c\0e\0s\0c\0o\0m\03\02\0.\0e\0x\0e\0\0\0\0\0\\0?\0?\0\\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0", 1104, ... ) , 1104, ... ) == 0x0
 00904   460   NtClose  (124, ... ) == 0x0
 00905   460   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 124, 2, ) }, 0, 0x0, 0, ... 124, 2, ) == 0x0
 00906   460   NtDeleteValueKey  (124,  (124, "ATI", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907   460   NtDeleteValueKey  (124,  (124, "Acrobat", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908   460   NtDeleteValueKey  (124,  (124, "Acrobat Update", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   460   NtDeleteValueKey  (124,  (124, "Acrobat Read", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   460   NtDeleteValueKey  (124,  (124, "rasman", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   460   NtDeleteValueKey  (124,  (124, "ActiveSync", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   460   NtClose  (124, ... ) == 0x0
 00913   460   NtUserRegisterClassExWOW  (1244088, 1244164, 1244180, 1244152, 0, 386, 0, ... ) == 0x810cc0d5
 00914   460   NtUserCreateWindowEx  (-2147483648, 1244072, 1243884, "-2147483648, 0, 0, 1, 1, 0, 0, 0, 0, 1073742848, 0, ...
 00915   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240268, ... ) }, 1240268, ... ) == 0x0
 00916   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 124, {status=0x0, info=1}, ) }, 5, 96, ... 124, {status=0x0, info=1}, ) == 0x0
 00917   460   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 124, ... 128, ) == 0x0
 00918   460   NtClose  (124, ... ) == 0x0
 00919   460   NtMapViewOfSection  (128, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x380000), 0x0, 204800, ) == 0x0
 00920   460   NtClose  (128, ... ) == 0x0
 00921   460   NtUnmapViewOfSection  (-1, 0x380000, ... ) == 0x0
 00922   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1240584, ... ) }, 1240584, ... ) == 0x0
 00923   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 5, 96, ... 128, {status=0x0, info=1}, ) }, 5, 96, ... 128, {status=0x0, info=1}, ) == 0x0
 00924   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 128, ... 124, ) == 0x0
 00925   460   NtQuerySection  (124, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00926   460   NtClose  (128, ... ) == 0x0
 00927   460   NtMapViewOfSection  (124, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x5ad70000), 0x0, 212992, ) == 0x0
 00928   460   NtClose  (124, ... ) == 0x0
 00929   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00930   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00931   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00932   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00933   460   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00934   460   NtClose  (124, ... ) == 0x0
 00935   460   NtOpenKey  (0x2001f, {24, 0, 0x640, 0, 0,  (0x2001f, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 00936   460   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\ThemeManager"}, ... 128, ) }, ... 128, ) == 0x0
 00937   460   NtQueryValueKey  (128,  (128, "Compositing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   460   NtClose  (128, ... ) == 0x0
 00939   460   NtClose  (124, ... ) == 0x0
 00940   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00941   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 124, ) == 0x0
 00942   460   NtQueryInformationToken  (124, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00943   460   NtClose  (124, ... ) == 0x0
 00944   460   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 124, ) }, ... 124, ) == 0x0
 00945   460   NtOpenKey  (0x1, {24, 124, 0x40, 0, 0,  (0x1, {24, 124, 0x40, 0, 0, "Control Panel\Desktop"}, ... 128, ) }, ... 128, ) == 0x0
 00946   460   NtQueryValueKey  (128,  (128, "LameButtonText", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00947   460   NtClose  (128, ... ) == 0x0
 00948   460   NtClose  (124, ... ) == 0x0
 00949   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\UxTheme.dll"}, 1240084, ... ) }, 1240084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00950   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "UxTheme.dll"}, 1240084, ... ) }, 1240084, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\UxTheme.dll"}, 1240084, ... ) }, 1240084, ... ) == 0x0
 00952   460   NtUserGetProcessWindowStation  (... ) == 0x24
 00953   460   NtUserGetObjectInformation  (36, 2, 0, 0, 1242380, ... ) == 0x0
 00954   460   NtUserGetObjectInformation  (36, 2, 1370248, 16, 1242380, ... ) == 0x1
 00955   460   NtUserGetGUIThreadInfo  (460, 1242336, ... ) == 0x1
 00956   460   NtConnectPort  ( ("\ThemeApiPort", {12, 2, 1, 1}, 0x0, 0x0, 1242156, 64, ... 124, 0x0, 0x0, 0x0, 64, ) , {12, 2, 1, 1}, 0x0, 0x0, 1242156, 64, ... 124, 0x0, 0x0, 0x0, 64, ) == 0x0
 00957   460   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 460, 1573, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1573, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00958   460   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1574, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 460, 1574, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\355\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1574, 0} "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00959   460   NtUserCallNoParam  (29, ...
 00960   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239628, ... ) }, 1239628, ... ) == 0x0
 00959   460   NtUserCallNoParam  ... ) == 0x0
 00961   460   NtUserSystemParametersInfo  (41, 0, 1524225160, 0, ... ) == 0x1
 00962   460   NtGdiHfontCreate  (1241708, 356, 0, 0, 1344040, ... ) == 0x80a0454
 00963   460   NtGdiHfontCreate  (1241708, 356, 0, 0, 1344032, ... ) == 0x60a0455
 00964   460   NtRequestWaitReplyPort  (124, {32, 56, new_msg, 0, 0, 0, 0, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1575, 0} "\0\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {32, 56, reply, 0, 456, 460, 1575, 0}  (124, {32, 56, new_msg, 0, 0, 0, 0, 0} "\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {32, 56, reply, 0, 456, 460, 1575, 0} "\0\0\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 00965   460   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x380000), {0, 0}, 331776, ) == 0x0
 00966   460   NtAllocateVirtualMemory  (-1, 3293184, 0, 4096, 4096, 4, ... 3293184, 4096, ) == 0x0
 00967   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00968   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00969   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00970   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00971   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00972   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00973   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00974   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00975   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00976   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00977   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00978   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00979   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00980   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00981   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00982   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00983   460   NtUserGetWindowDC  (0, ... ) == 0x1010050
 00984   460   NtGdiCreatePatternBrushInternal  (59048369, 0, 0, ... ) == 0x1100457
 00985   460   NtUserCallOneParam  (16842832, 56, ... ) == 0x1
 00986   460   NtUserCallNoParam  (29, ...
 00987   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239072, ... ) }, 1239072, ... ) == 0x0
 00986   460   NtUserCallNoParam  ... ) == 0x0
 00988   460   NtUserCallNoParam  (29, ...
 00989   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\uxtheme.dll"}, 1239068, ... ) }, 1239068, ... ) == 0x0
 00988   460   NtUserCallNoParam  ... ) == 0x0
 00990   460   NtUserMessageCall  (0x200b2, WM_NCCREATE, 0x0, 0x12f618, 0, 670, 1, ... ) == 0x1
 00991   460   NtUserMessageCall  (0x200b2, WM_NCCALCSIZE, 0x0, 0x12f64c, 0, 670, 1, ... ) == 0x0
 00992   460   NtUserSetProp  (131250, 43288, -1, ... ) == 0x1
 00993   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240540,  (0x80100080, {24, 0, 0x40, 0, 1240540, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 132, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 132, {status=0x0, info=1}, ) == 0x0
 00994   460   NtQueryInformationFile  (132, 1241476, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00995   460   NtQueryInformationFile  (132, 1241448, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00996   460   NtQueryInformationFile  (132, 1241400, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00997   460   NtAllocateVirtualMemory  (-1, 1372160, 0, 8192, 4096, 4, ... 1372160, 8192, ) == 0x0
 00998   460   NtQueryInformationFile  (132, 1371280, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00999   460   NtQueryInformationFile  (132, 1239944, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01000   460   NtQueryInformationFile  (132, 1239788, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01001   460   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1239796,  (0x40110080, {24, 0, 0x40, 0, 1239796, "\??\C:\WINDOWS\System32\qmedia.exe"}, 0x0, 32, 0, 2, 100, 0, 0, ... 136, {status=0x0, info=2}, ) }, 0x0, 32, 0, 2, 100, 0, 0, ... 136, {status=0x0, info=2}, ) == 0x0
 01002   460   NtQueryVolumeInformationFile  (136, 1239168, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01003   460   NtQueryInformationFile  (136, 1239128, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01004   460   NtQueryVolumeInformationFile  (132, 1239168, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01005   460   NtSetInformationFile  (136, 1238956, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01006   460   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 132, ... 140, ) == 0x0
 01007   460   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 49152, ) == 0x0
 01008   460   NtClose  (140, ... ) == 0x0
 01009   460   NtWriteFile  (136, 0, 0, 0,  (136, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\23\267z\336W\326\24\215W\326\24\215W\326\24\215D\336I\215U\326\24\215\324\336I\215U\326\24\215\255\365\15\215T\326\24\215W\326\25\215g\326\24\215R\332t\215\\326\24\215R\332N\215V\326\24\215RichW\326\24\215\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\204v$F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0R\0\0\0|\0\0\0\0\0\0@\24\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\1\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\340q\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0CODE\0\0\0\0\301\4\0\0\0\20\0\0\0\6\0\0\0\4\0\0\0\0\0\0", 48640, 0x0, 0, ... {status=0x0, info=48640}, ) , 48640, 0x0, 0, ... {status=0x0, info=48640}, ) == 0x0
 01010   460   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01011   460   NtSetInformationFile  (136, 1241400, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01012   460   NtClose  (132, ... ) == 0x0
 01013   460   NtClose  (136, ... ) == 0x0
 01014   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Userenv.dll"}, ... 136, ) }, ... 136, ) == 0x0
 01015   460   NtMapViewOfSection  (136, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01016   460   NtClose  (136, ... ) == 0x0
 01017   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 136, ) }, ... 136, ) == 0x0
 01018   460   NtQueryValueKey  (136,  (136, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01019   460   NtClose  (136, ... ) == 0x0
 01020   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 136, ) }, ... 136, ) == 0x0
 01021   460   NtQueryValueKey  (136,  (136, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01022   460   NtClose  (136, ... ) == 0x0
 01023   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 136, ) }, ... 136, ) == 0x0
 01024   460   NtQueryValueKey  (136,  (136, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (136, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01025   460   NtClose  (136, ... ) == 0x0
 01026   460   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1238492, 0,  (0x1f0003, {24, 52, 0x80, 1238492, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 136, ) }, 0, 1, ... 136, ) == STATUS_OBJECT_NAME_EXISTS
 01027   460   NtAllocateVirtualMemory  (-1, 1224704, 0, 4096, 4096, 260, ... 1224704, 4096, ) == 0x0
 01028   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01029   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01030   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01031   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01032   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01033   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01034   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01035   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01036   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01037   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01038   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01039   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01040   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01041   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01042   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01043   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01044   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01045   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01046   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01047   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01048   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01049   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01050   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01051   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01052   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01053   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01054   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01055   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 132, ) == 0x0
 01056   460   NtQueryInformationToken  (132, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01057   460   NtClose  (132, ... ) == 0x0
 01058   460   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 132, ) }, ... 132, ) == 0x0
 01059   460   NtOpenKey  (0x20019, {24, 132, 0x40, 0, 0,  (0x20019, {24, 132, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 140, ) }, ... 140, ) == 0x0
 01060   460   NtQueryValueKey  (140,  (140, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01061   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01062   460   NtQueryValueKey  (140,  (140, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (140, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01063   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01064   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01065   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01066   460   NtQueryDefaultLocale  (1, 1236328, ... ) == 0x0
 01067   460   NtClose  (140, ... ) == 0x0
 01068   460   NtClose  (132, ... ) == 0x0
 01069   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01070   460   NtQueryValueKey  (132,  (132, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01071   460   NtClose  (132, ... ) == 0x0
 01072   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01073   460   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01074   460   NtQueryValueKey  (132,  (132, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01075   460   NtClose  (132, ... ) == 0x0
 01076   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01077   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 132, ) }, ... 132, ) == 0x0
 01078   460   NtQueryValueKey  (132,  (132, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01079   460   NtClose  (132, ... ) == 0x0
 01080   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01081   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 132, ) }, ... 132, ) == 0x0
 01082   460   NtQueryValueKey  (132,  (132, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (132, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 01083   460   NtClose  (132, ... ) == 0x0
 01084   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 132, ) }, ... 132, ) == 0x0
 01085   460   NtQueryValueKey  (132,  (132, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 01086   460   NtClose  (132, ... ) == 0x0
 01087   460   NtClose  (136, ... ) == 0x0
 01088   460   NtUnmapViewOfSection  (-1, 0x75a70000, ... ) == 0x0
 01089   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239732,  (0x80100080, {24, 0, 0x40, 0, 1239732, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 136, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 136, {status=0x0, info=1}, ) == 0x0
 01090   460   NtQueryInformationFile  (136, 1240668, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 01091   460   NtQueryInformationFile  (136, 1240640, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 01092   460   NtQueryInformationFile  (136, 1240592, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01093   460   NtQueryInformationFile  (136, 1371584, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 01094   460   NtQueryInformationFile  (136, 1239136, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01095   460   NtQueryInformationFile  (136, 1238980, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 01096   460   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1238988,  (0x40110080, {24, 0, 0x40, 0, 1238988, "\??\C:\Documents and Settings\All Users\Start Menu\Programs\Startup\icq.exe"}, 0x0, 32, 0, 2, 100, 0, 0, ... 132, {status=0x0, info=2}, ) }, 0x0, 32, 0, 2, 100, 0, 0, ... 132, {status=0x0, info=2}, ) == 0x0
 01097   460   NtQueryVolumeInformationFile  (132, 1238360, 536, Attribute, ... {status=0x0, info=22}, ) == 0x0
 01098   460   NtQueryInformationFile  (132, 1238320, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 01099   460   NtQueryVolumeInformationFile  (136, 1238360, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 01100   460   NtSetInformationFile  (132, 1238148, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01101   460   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 136, ... 140, ) == 0x0
 01102   460   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x3e0000), {0, 0}, 49152, ) == 0x0
 01103   460   NtClose  (140, ... ) == 0x0
 01104   460   NtWriteFile  (132, 0, 0, 0,  (132, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\23\267z\336W\326\24\215W\326\24\215W\326\24\215D\336I\215U\326\24\215\324\336I\215U\326\24\215\255\365\15\215T\326\24\215W\326\25\215g\326\24\215R\332t\215\\326\24\215R\332N\215V\326\24\215RichW\326\24\215\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\4\0\204v$F\0\0\0\0\0\0\0\0\340\0\17\1\13\1\7\12\0R\0\0\0|\0\0\0\0\0\0@\24\0\0\0\20\0\0\0p\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\1\0\0\4\0\0\0\0\0\0\2\0\0\4\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\340q\0\0P\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0p\0\0\314\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0CODE\0\0\0\0\301\4\0\0\0\20\0\0\0\6\0\0\0\4\0\0\0\0\0\0", 48640, 0x0, 0, ... {status=0x0, info=48640}, ) , 48640, 0x0, 0, ... {status=0x0, info=48640}, ) == 0x0
 01105   460   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01106   460   NtSetInformationFile  (132, 1240592, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01107   460   NtClose  (136, ... ) == 0x0
 01108   460   NtClose  (132, ... ) == 0x0
 01109   460   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 01110   460   NtSetValueKey  (132,  (132, "Winamp Media", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0e\0d\0i\0a\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\354\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\04\0\356\0\22\0\0\0\11\0\0\0\0\0\0\00\0\362\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\4\0\366\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0|\0\361\0\22\0\0\0\36 \0\0\0\0\0\08\0\365\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\4\0\366\0\22\0\0\0]\0\275\0\346\0w\0d\0\362\0\22\0\0\0\220\0!\0", 520, ... , 0, 1,  (132, "Winamp Media", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0e\0d\0i\0a\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\354\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\04\0\356\0\22\0\0\0\11\0\0\0\0\0\0\00\0\362\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\4\0\366\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0|\0\361\0\22\0\0\0\36 \0\0\0\0\0\08\0\365\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\4\0\366\0\22\0\0\0]\0\275\0\346\0w\0d\0\362\0\22\0\0\0\220\0!\0", 520, ... , 520, ...
 01111   460   NtSetInformationFile  (-2147482808, -131958332, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01112   460   NtSetInformationFile  (-2147482808, -131958424, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01113   460   NtSetInformationFile  (-2147482808, -131958732, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01110   460   NtSetValueKey  ... ) == 0x0
 01114   460   NtClose  (132, ... ) == 0x0
 01115   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Run"}, 0, 0x0, 0, ... 132, 2, ) }, 0, 0x0, 0, ... 132, 2, ) == 0x0
 01116   460   NtSetValueKey  (132,  (132, "Winamp Media", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0e\0d\0i\0a\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\354\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\04\0\356\0\22\0\0\0\11\0\0\0\0\0\0\00\0\362\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\4\0\366\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0|\0\361\0\22\0\0\0\36 \0\0\0\0\0\08\0\365\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\4\0\366\0\22\0\0\0]\0\275\0\346\0w\0d\0\362\0\22\0\0\0\220\0!\0", 520, ... , 0, 1,  (132, "Winamp Media", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0q\0m\0e\0d\0i\0a\0.\0e\0x\0e\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\254 \1\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0 \0\10\0\0\0\0\0\0\0\254 \6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220\0\354\0\24\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\306\2\0\0\0\0\0\0\36 \0\0\0\0\0\04\0\356\0\22\0\0\0\11\0\0\0\0\0\0\00\0\362\0\22\0\0\0  \273\0\351\0w\0 \0\23\0\350\0w\0\377\0\377\0\377\0\377\0M\0\263\0\346\0w\00 \263\0\346\0w\0\0\0\354\0\375\0\177\0\240\0\347\0\24\0\0\0\0\0\0\0\0\0\0\0O\0\345\0\367\0w\0\243\0y\0\347\0w\0\306\2\0\0\0\0\0\0\11\0\0\0\0\0\0\0H\0\0\0\0\0\0\0\235\0\263\0\346\0w\0\4\0\366\0\22\0\0\0\370\0\353\0\375\0\177\0\0\0\0\0\1\0\0\0\0\0\0\0\24\0\0\0|\0\361\0\22\0\0\0\36 \0\0\0\0\0\08\0\365\0\22\0\0\0\2\0$\0\370\0w\0\370\0T\0\367\0w\0\377\0\377\0\377\0\377\0\215\0\26\0\365\0w\0\313\0%\0\365\0w\0\0\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\240\0\347\0\24\0\0\0\254\0%\0\365\0w\0\240\0\347\0\24\0\0\0\4\0\366\0\22\0\0\0]\0\275\0\346\0w\0d\0\362\0\22\0\0\0\220\0!\0", 520, ... , 520, ...
 01117   460   NtSetInformationFile  (-2147482732, -131958332, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01118   460   NtSetInformationFile  (-2147482732, -131958424, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01119   460   NtSetInformationFile  (-2147482732, -131958732, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 01116   460   NtSetValueKey  ... ) == 0x0
 01120   460   NtClose  (132, ... ) == 0x0
 01121   460   NtUserSetTimer  (131250, 101, 2000, 0, ... ) == 0x65
 01122   460   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9437184, 1048576, ) == 0x0
 01123   460   NtAllocateVirtualMemory  (-1, 10477568, 0, 8192, 4096, 4, ... 10477568, 8192, ) == 0x0
 01124   460   NtProtectVirtualMemory  (-1, (0x9fe000), 4096, 260, ... (0x9fe000), 4096, 4, ) == 0x0
 01125   460   NtCreateThread  (0x1f03ff, 0x0, -1, 1240860, 1241576, 1, ... 132, {456, 876}, ) == 0x0
 01126   460   NtQueryInformationThread  (132, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdd000,Pid=456,Tid=876,}, 0x0, ) == 0x0
 01127   460   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012550797, 0, 520, 132}  (24, {28, 56, new_msg, 0, 2012550797, 0, 520, 132} "\0\0\0\0\1\0\1\0\0\0\0\0\20\357\22\0\204\0\0\0\310\1\0\0l\3\0\0" ... {28, 56, reply, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\20\357\22\0\204\0\0\0\310\1\0\0l\3\0\0" )  ... {28, 56, reply, 0, 456, 460, 1576, 0}  (24, {28, 56, new_msg, 0, 2012550797, 0, 520, 132} "\0\0\0\0\1\0\1\0\0\0\0\0\20\357\22\0\204\0\0\0\310\1\0\0l\3\0\0" ... {28, 56, reply, 0, 456, 460, 1576, 0} "\0\0\0\0\1\0\1\0\0\0\0\0\20\357\22\0\204\0\0\0\310\1\0\0l\3\0\0" )  ) == 0x0
 01128   460   NtResumeThread  (132, ... 1, ) == 0x0
 00914   460   NtUserCreateWindowEx  ... ) == 0x200b2
 01129   460   NtUserGetMessage  (0, 0, 0, ...
 01130   876   NtTestAlert  (... ) == 0x0
 01131   876   NtContinue  (10485040, 1, ...
 01132   876   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 01133   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 136, ) == 0x0
 01134   876   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01135   876   NtAllocateVirtualMemory  (-1, 10473472, 0, 4096, 4096, 260, ... 10473472, 4096, ) == 0x0
 01136   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10481004, ... ) }, 10481004, ... ) == 0x0
 01137   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 140, {status=0x0, info=1}, ) }, 5, 96, ... 140, {status=0x0, info=1}, ) == 0x0
 01138   876   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 140, ... 144, ) == 0x0
 01139   876   NtClose  (140, ... ) == 0x0
 01140   876   NtMapViewOfSection  (144, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xa00000), 0x0, 229376, ) == 0x0
 01141   876   NtClose  (144, ... ) == 0x0
 01142   876   NtUnmapViewOfSection  (-1, 0xa00000, ... ) == 0x0
 01143   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10481320, ... ) }, 10481320, ... ) == 0x0
 01144   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 144, {status=0x0, info=1}, ) }, 5, 96, ... 144, {status=0x0, info=1}, ) == 0x0
 01145   876   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 144, ... 140, ) == 0x0
 01146   876   NtQuerySection  (140, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01147   876   NtClose  (144, ... ) == 0x0
 01148   876   NtMapViewOfSection  (140, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01149   876   NtClose  (140, ... ) == 0x0
 01150   876   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01151   876   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01152   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 140, ) == 0x0
 01153   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 10480648, ... ) }, 10480648, ... ) == 0x0
 01154   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 144, ) }, ... 144, ) == 0x0
 01155   876   NtQueryValueKey  (144,  (144, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (144, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01156   876   NtQueryValueKey  (144,  (144, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (144, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 01157   876   NtClose  (144, ... ) == 0x0
 01158   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 144, ) }, ... 144, ) == 0x0
 01159   876   NtQueryValueKey  (144,  (144, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01160   876   NtQueryValueKey  (144,  (144, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01161   876   NtQueryValueKey  (144,  (144, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (144, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01162   876   NtClose  (144, ... ) == 0x0
 01163   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 144, ) }, ... 144, ) == 0x0
 01164   876   NtQueryValueKey  (144,  (144, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01165   876   NtQueryValueKey  (144,  (144, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01166   876   NtQueryValueKey  (144,  (144, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (144, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01167   876   NtQueryValueKey  (144,  (144, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (144, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01168   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 10481568, ... ) }, 10481568, ... ) == 0x0
 01169   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01170   876   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 148, ... 152, ) == 0x0
 01171   876   NtClose  (148, ... ) == 0x0
 01172   876   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 20480, ) == 0x0
 01173   876   NtClose  (152, ... ) == 0x0
 01174   876   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01175   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 10481884, ... ) }, 10481884, ... ) == 0x0
 01176   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 01177   876   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 148, ) == 0x0
 01178   876   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01179   876   NtClose  (152, ... ) == 0x0
 01180   876   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01181   876   NtClose  (148, ... ) == 0x0
 01182   876   NtClose  (144, ... ) == 0x0
 01183   876   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 10484084, 75, ... }, 0x0, 0, 3, 3, 0, 10484084, 75, ...
 01184   876   NtClose  (-2147482032, ... ) == 0x0
 01183   876   NtCreateFile  ... 144, {status=0x0, info=0}, ) == 0x0
 01185   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x1207b,  (144, 140, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\30\361\24\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\220&\14\201", ) , 16, 16, ... {status=0x0, info=16},  (144, 140, 0x0, 0x0, 0x1207b, "\7\0\0\0\340\0\0\0\30\361\24\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\220&\14\201", ) , ) == 0x0
 01186   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x1207b,  (144, 140, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\220&\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\220&\14\201", ) , 16, 16, ... {status=0x0, info=16},  (144, 140, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\220&\14\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\220&\14\201", ) , ) == 0x0
 01187   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12047,  (144, 140, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\30\361\24\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 01188   876   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 01189   876   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 01190   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 10480824, ... ) }, 10480824, ... ) == 0x0
 01191   876   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 10480940, ... ) }, 10480940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   876   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "DNSAPI.dll"}, 10480940, ... ) }, 10480940, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01194   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 10480940, ... ) }, 10480940, ... ) == 0x0
 01195   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 148, {status=0x0, info=1}, ) }, 5, 96, ... 148, {status=0x0, info=1}, ) == 0x0
 01196   876   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 148, ... 152, ) == 0x0
 01197   876   NtQuerySection  (152, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01198   876   NtClose  (148, ... ) == 0x0
 01199   876   NtMapViewOfSection  (152, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01200   876   NtClose  (152, ... ) == 0x0
 01201   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 152, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 152, 2, ) , 0, ... 152, 2, ) == 0x0
 01202   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01203   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01204   876   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01205   876   NtQueryValueKey  (148,  (148, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   876   NtQueryValueKey  (152,  (152, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01207   876   NtQueryValueKey  (148,  (148, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   876   NtQueryValueKey  (152,  (152, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (152, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01209   876   NtQueryValueKey  (148,  (148, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   876   NtQueryValueKey  (152,  (152, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01211   876   NtQueryValueKey  (148,  (148, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01212   876   NtQueryValueKey  (152,  (152, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01213   876   NtQueryValueKey  (148,  (148, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01214   876   NtQueryValueKey  (148,  (148, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   876   NtQueryValueKey  (148,  (148, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01216   876   NtQueryValueKey  (148,  (148, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01217   876   NtQueryValueKey  (148,  (148, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01218   876   NtQueryValueKey  (148,  (148, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01219   876   NtQueryValueKey  (148,  (148, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01220   876   NtQueryValueKey  (152,  (152, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01221   876   NtQueryValueKey  (148,  (148, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01222   876   NtQueryValueKey  (148,  (148, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01223   876   NtQueryValueKey  (152,  (152, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01224   876   NtQueryValueKey  (148,  (148, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01225   876   NtQueryValueKey  (152,  (152, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01226   876   NtQueryValueKey  (148,  (148, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01227   876   NtQueryValueKey  (152,  (152, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01228   876   NtQueryValueKey  (148,  (148, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   876   NtQueryValueKey  (152,  (152, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01230   876   NtQueryValueKey  (148,  (148, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01231   876   NtQueryValueKey  (152,  (152, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01232   876   NtQueryValueKey  (148,  (148, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01233   876   NtQueryValueKey  (152,  (152, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01234   876   NtQueryValueKey  (148,  (148, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01235   876   NtQueryValueKey  (152,  (152, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01236   876   NtQueryValueKey  (148,  (148, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01237   876   NtQueryValueKey  (152,  (152, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01238   876   NtQueryValueKey  (148,  (148, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01239   876   NtQueryValueKey  (148,  (148, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01240   876   NtQueryValueKey  (148,  (148, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01241   876   NtQueryValueKey  (148,  (148, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01242   876   NtQueryValueKey  (148,  (148, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   876   NtQueryValueKey  (148,  (148, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01244   876   NtQueryValueKey  (148,  (148, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01245   876   NtQueryValueKey  (148,  (148, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01246   876   NtQueryValueKey  (148,  (148, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01247   876   NtQueryValueKey  (148,  (148, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01248   876   NtQueryValueKey  (148,  (148, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   876   NtQueryValueKey  (148,  (148, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01250   876   NtQueryValueKey  (148,  (148, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01251   876   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 156, ) }, ... 156, ) == 0x0
 01252   876   NtQueryValueKey  (156,  (156, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (156, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01253   876   NtClose  (156, ... ) == 0x0
 01254   876   NtClose  (152, ... ) == 0x0
 01255   876   NtClose  (148, ... ) == 0x0
 01256   876   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 148, ) }, ... 148, ) == 0x0
 01257   876   NtQueryValueKey  (148,  (148, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01258   876   NtQueryValueKey  (148,  (148, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01259   876   NtQueryValueKey  (148,  (148, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01260   876   NtClose  (148, ... ) == 0x0
 01261   876   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01262   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01263   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 148, ) }, ... 148, ) == 0x0
 01264   876   NtQueryValueKey  (148,  (148, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01265   876   NtClose  (148, ... ) == 0x0
 01266   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01267   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 148, ) == 0x0
 01268   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 152, ) == 0x0
 01269   876   NtQuerySystemTime  (... {-1977005560, 29873109}, ) == 0x0
 01270   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 156, ) == 0x0
 01271   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01272   876   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01273   876   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01274   876   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01275   876   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 160, ) == 0x0
 01276   876   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 164, ) == 0x0
 01277   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01278   876   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10481416, 112, ... 172, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10481416, 112, ... 172, 0x0, 0x0, 0x0, 112, ) == 0x0
 01279   876   NtRequestWaitReplyPort  (172, {128, 152, new_msg, 0, 126172, 1310720, 10481180, 2012750850}  (172, {128, 152, new_msg, 0, 126172, 1310720, 10481180, 2012750850} "\0\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0(\15\25\0\240\15\25\0H\2\24\08\17\25\0\4\0\0\00\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\3\24\0\0\0\0\0\32\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1578, 0} "\7\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0(\15\25\0\240\15\25\0H\2\24\08\17\25\0\4\0\0\00\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\3\24\0\0\0\0\0\32\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 876, 1578, 0}  (172, {128, 152, new_msg, 0, 126172, 1310720, 10481180, 2012750850} "\0\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0(\15\25\0\240\15\25\0H\2\24\08\17\25\0\4\0\0\00\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\3\24\0\0\0\0\0\32\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1578, 0} "\7\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0(\15\25\0\240\15\25\0H\2\24\08\17\25\0\4\0\0\00\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\3\24\0\0\0\0\0\32\0\0\0\5\0\0\0" )  ) == 0x0
 01280   876   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01281   876   NtRequestWaitReplyPort  (172, {64, 88, new_msg, 0, 0, 0, 0, 0}  (172, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1579, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 876, 1579, 0}  (172, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1579, 0} "\2\240\372\177\1\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01282   876   NtClose  (168, ... ) == 0x0
 01283   876   NtClose  (172, ... ) == 0x0
 01284   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) , 0, ... 172, 2, ) == 0x0
 01285   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 168, ) }, ... 168, ) == 0x0
 01286   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01287   876   NtQueryValueKey  (172,  (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01288   876   NtQueryValueKey  (172,  (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01289   876   NtClose  (172, ... ) == 0x0
 01290   876   NtClose  (168, ... ) == 0x0
 01291   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01292   876   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10481280, 112, ... 172, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10481280, 112, ... 172, 0x0, 0x0, 0x0, 112, ) == 0x0
 01293   876   NtRequestWaitReplyPort  (172, {128, 152, new_msg, 0, 126036, 1310720, 10481044, 2012750850}  (172, {128, 152, new_msg, 0, 126036, 1310720, 10481044, 2012750850} "\0\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0(\15\25\0\310\15\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\237\0\200\357\237\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1582, 0} "\7\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0(\15\25\0\310\15\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\237\0\200\357\237\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 876, 1582, 0}  (172, {128, 152, new_msg, 0, 126036, 1310720, 10481044, 2012750850} "\0\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0(\15\25\0\310\15\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\237\0\200\357\237\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1582, 0} "\7\364\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0(\15\25\0\310\15\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\237\0\200\357\237\0\0\0\0\0\263\26\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01294   876   NtRequestWaitReplyPort  (172, {44, 68, new_msg, 0, 456, 876, 1579, 0}  (172, {44, 68, new_msg, 0, 456, 876, 1579, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 456, 876, 1583, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 456, 876, 1583, 0}  (172, {44, 68, new_msg, 0, 456, 876, 1579, 0} "\1\240\0\0A\2\4\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 456, 876, 1583, 0} "\2\240\372\177\4\00\300\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01295   876   NtRequestWaitReplyPort  (172, {64, 88, new_msg, 56, 0, 1, 0, 0}  (172, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\360\237\0@\0\314w\300\14\25\0H\360\237\0\260\360\237\0\0\267\362v\260\360\237\0\300\14\25\0\1\0\0\0\260\20\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 456, 876, 1584, 0} "\10\360\237\0@\0\314w\300\14\25\0H\360\237\0\260\360\237\0\0\267\362v\260\360\237\0\300\14\25\0\1\0\0\0\260\20\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 456, 876, 1584, 0}  (172, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\360\237\0@\0\314w\300\14\25\0H\360\237\0\260\360\237\0\0\267\362v\260\360\237\0\300\14\25\0\1\0\0\0\260\20\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 456, 876, 1584, 0} "\10\360\237\0@\0\314w\300\14\25\0H\360\237\0\260\360\237\0\0\267\362v\260\360\237\0\300\14\25\0\1\0\0\0\260\20\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01296   876   NtClose  (168, ... ) == 0x0
 01297   876   NtClose  (172, ... ) == 0x0
 01298   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) , 0, ... 172, 2, ) == 0x0
 01299   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 168, ) }, ... 168, ) == 0x0
 01300   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01301   876   NtQueryValueKey  (172,  (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01302   876   NtQueryValueKey  (172,  (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01303   876   NtClose  (172, ... ) == 0x0
 01304   876   NtClose  (168, ... ) == 0x0
 01305   876   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 168, ) }, ... 168, ) == 0x0
 01306   876   NtQueryValueKey  (168,  (168, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01307   876   NtClose  (168, ... ) == 0x0
 01308   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 10480824, ... ) }, 10480824, ... ) == 0x0
 01309   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 168, {status=0x0, info=1}, ) }, 5, 96, ... 168, {status=0x0, info=1}, ) == 0x0
 01310   876   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 168, ... 172, ) == 0x0
 01311   876   NtClose  (168, ... ) == 0x0
 01312   876   NtMapViewOfSection  (172, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x3e0000), 0x0, 16384, ) == 0x0
 01313   876   NtClose  (172, ... ) == 0x0
 01314   876   NtUnmapViewOfSection  (-1, 0x3e0000, ... ) == 0x0
 01315   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 10481140, ... ) }, 10481140, ... ) == 0x0
 01316   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01317   876   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 168, ) == 0x0
 01318   876   NtQuerySection  (168, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01319   876   NtClose  (172, ... ) == 0x0
 01320   876   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01321   876   NtClose  (168, ... ) == 0x0
 01322   876   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 168, ) }, ... 168, ) == 0x0
 01323   876   NtMapViewOfSection  (168, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01324   876   NtClose  (168, ... ) == 0x0
 01325   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 168, ) == 0x0
 01326   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 172, ) }, ... 172, ) == 0x0
 01327   876   NtQueryValueKey  (172,  (172, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (172, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01328   876   NtClose  (172, ... ) == 0x0
 01329   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 10480824, ... ) }, 10480824, ... ) == 0x0
 01330   876   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01331   876   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 4063232, 65536, ) == 0x0
 01332   876   NtAllocateVirtualMemory  (-1, 4063232, 0, 4096, 4096, 4, ... 4063232, 4096, ) == 0x0
 01333   876   NtAllocateVirtualMemory  (-1, 4067328, 0, 8192, 4096, 4, ... 4067328, 8192, ) == 0x0
 01334   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01335   876   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10481112, 112, ... 176, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10481112, 112, ... 176, 0x0, 0x0, 0x0, 112, ) == 0x0
 01336   876   NtRequestWaitReplyPort  (176, {128, 152, new_msg, 0, 125868, 1310720, 10480876, 2012750850}  (176, {128, 152, new_msg, 0, 125868, 1310720, 10480876, 2012750850} "\0\363\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0X\27\25\0\200\27\25\0\360\30\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\342\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1587, 0} "\7\363\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0X\27\25\0\200\27\25\0\360\30\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\342\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 876, 1587, 0}  (176, {128, 152, new_msg, 0, 125868, 1310720, 10480876, 2012750850} "\0\363\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0X\27\25\0\200\27\25\0\360\30\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\342\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1587, 0} "\7\363\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0X\27\25\0\200\27\25\0\360\30\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\342\0\0\0\5\0\0\0" )  ) == 0x0
 01337   876   NtRequestWaitReplyPort  (176, {64, 88, new_msg, 0, 456, 876, 1583, 0}  (176, {64, 88, new_msg, 0, 456, 876, 1583, 0} "\1\240\0\0A\2\10\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1588, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 876, 1588, 0}  (176, {64, 88, new_msg, 0, 456, 876, 1583, 0} "\1\240\0\0A\2\10\0\0\0\0\0G\3\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1588, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01338   876   NtClose  (172, ... ) == 0x0
 01339   876   NtClose  (176, ... ) == 0x0
 01340   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 176, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 176, 2, ) , 0, ... 176, 2, ) == 0x0
 01341   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 172, ) }, ... 172, ) == 0x0
 01342   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01343   876   NtQueryValueKey  (176,  (176, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01344   876   NtQueryValueKey  (176,  (176, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01345   876   NtClose  (176, ... ) == 0x0
 01346   876   NtClose  (172, ... ) == 0x0
 01347   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) , 0, ... 172, 2, ) == 0x0
 01348   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 176, ) }, ... 176, ) == 0x0
 01349   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01350   876   NtQueryValueKey  (172,  (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01351   876   NtQueryValueKey  (172,  (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01352   876   NtClose  (172, ... ) == 0x0
 01353   876   NtClose  (176, ... ) == 0x0
 01354   876   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 01355   876   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01356   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 176, ) == 0x0
 01357   876   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 10480912, 112, ... 172, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 10480912, 112, ... 172, 0x0, 0x0, 0x0, 112, ) == 0x0
 01358   876   NtRequestWaitReplyPort  (172, {128, 152, new_msg, 0, 125668, 1310720, 10480676, 2012750850}  (172, {128, 152, new_msg, 0, 125668, 1310720, 10480676, 2012750850} "\0\362\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\224\357\237\0\370\370\24\0 \33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1591, 0} "\7\362\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\224\357\237\0\370\370\24\0 \33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 876, 1591, 0}  (172, {128, 152, new_msg, 0, 125668, 1310720, 10480676, 2012750850} "\0\362\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w`\17\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\224\357\237\0\370\370\24\0 \33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 876, 1591, 0} "\7\362\237\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\0\0\240\1\24\0\240\1\24\0\224\357\237\0\370\370\24\0 \33\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\17.\365w\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01359   876   NtRequestWaitReplyPort  (172, {64, 88, new_msg, 0, 456, 876, 1588, 0}  (172, {64, 88, new_msg, 0, 456, 876, 1588, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1592, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 876, 1592, 0}  (172, {64, 88, new_msg, 0, 456, 876, 1588, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 456, 876, 1592, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01360   876   NtClose  (176, ... ) == 0x0
 01361   876   NtClose  (172, ... ) == 0x0
 01362   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 172, 2, ) , 0, ... 172, 2, ) == 0x0
 01363   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 176, ) }, ... 176, ) == 0x0
 01364   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01365   876   NtQueryValueKey  (172,  (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01366   876   NtQueryValueKey  (172,  (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01367   876   NtClose  (172, ... ) == 0x0
 01368   876   NtClose  (176, ... ) == 0x0
 01369   876   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 176, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 176, 2, ) , 0, ... 176, 2, ) == 0x0
 01370   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 172, ) }, ... 172, ) == 0x0
 01371   876   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   876   NtQueryValueKey  (176,  (176, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01373   876   NtQueryValueKey  (176,  (176, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (176, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01374   876   NtClose  (176, ... ) == 0x0
 01375   876   NtClose  (172, ... ) == 0x0
 01376   876   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 172, ) }, ... 172, ) == 0x0
 01377   876   NtQueryValueKey  (172,  (172, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01378   876   NtQueryValueKey  (172,  (172, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (172, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 01379   876   NtQueryValueKey  (172,  (172, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01380   876   NtClose  (172, ... ) == 0x0
 01381   876   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 10481816, ... ) }, 10481816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   876   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasadhlp.dll"}, 10481816, ... ) }, 10481816, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01384   876   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 10481816, ... ) }, 10481816, ... ) == 0x0
 01385   876   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01386   876   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 176, ) == 0x0
 01387   876   NtQuerySection  (176, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01388   876   NtClose  (172, ... ) == 0x0
 01389   876   NtMapViewOfSection  (176, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 01390   876   NtClose  (176, ... ) == 0x0
 01391   876   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 176, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 176, {status=0x0, info=0}, ) == 0x0
 01392   876   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 172, ) == 0x0
 01393   876   NtDeviceIoControlFile  (176, 172, 0x0, 0x0, 0xf14014,  (176, 172, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\20\0\0\0\0\360\375\177h\2\374v\1\0\0\0\340\361\237\0D\365\237\0D\365\237\0\2$\370w\310j\367w\377\377\377\377\364j\365w$P\374w`i\365w\0\0\0\0\10\0\25\300\0\0\0\0\10\6\24\0@.$\0\254\36$\0\210/$\0\0\320\375\177\24\232\347wS\16\26\0\200\17\25\0\216\17\25\0T\16\25\0x/$\0\30\0\26\2\20\363\237\0\20\363\237\0r\0a\0s\0a\0d\0h\0l\0p\0.\0d\0l\0l\0\0\0\0\0T\16\25\0\377\377\0\0\1\0\0\0\370\24\25\0\240\31\25\0 \0\0\0\0\0\0\0\210\1\24\0\230\31\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qH\16\25\04\16\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\260\31\1\1\0\0\24\0\340\362\237\0\300\367\237\0\334\377\237\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\260\31\25\0\210\350\24\0@\203\24\0X\203\24\0\200\17\25\0\216\17\25\0T\16\25\0\377\377\0\0\0\0\0\0T\16\25\0\7\0\0\0\200\17\25\0\20\364\237\0\177;\245q\0\0\0\0\0\0\0\0\200\17\25\0\0\0\0\0T\16\25\0\377\377\0\0\1\0\0\0\230\1\24\0\350\24\25\0\20\0\0\0\0\0\0\0\230\1\24\0\340\24\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245qH\16\25\04\16\25\0\4\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\240\247\1\1\0\0\24\0\250\363\237\0\210\370\237\0\334\377\237\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\240\247\24\0\210\350\24\0@\203\24\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01394   876   NtClose  (172, ... ) == 0x0
 01395   876   NtClose  (176, ... ) == 0x0
 01396   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12003,  (144, 140, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0,\354\300\250|\201\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=176}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\300\250|\201\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=176},  (144, 140, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0,\354\300\250|\201\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=176}, "\1\0\0\0\1\0\0\0\16\0\2\0\0\0\300\250|\201\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01397   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12037,  (144, 140, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (144, 140, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01398   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12047,  (144, 140, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\353\3\0\0\11\6\2\0\14\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\0\0\300\250|\201\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01399   876   NtDeviceIoControlFile  (176, 0, 0x0, 0x0, 0x120028,  (176, 0, 0x0, 0x0, 0x120028, "\1\4\0\0\0\0\0\0\0\2\0\0\0\2\0\0\15\0\0\0\4\0\0\0\1\0\0\00}\0\0", 32, 0, ... {status=0x0, info=0}, 0x0, ) , 32, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 01400   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=0}, 0x0, ) , 16, 0, ... {status=0x103, info=0}, 0x0, ) == 0x103
 01401   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01402   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=81}, 0x0, ) , 16, 0, ... {status=0x0, info=81}, 0x0, ) == 0x0
 01403   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01404   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01405   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01406   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=128}, 0x0, ) , 16, 0, ... {status=0x0, info=128}, 0x0, ) == 0x0
 01407   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01408   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01409   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01410   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01411   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01412   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01413   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01414   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01415   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01416   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01417   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01418   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01419   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01420   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01421   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01422   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01423   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01424   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01425   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01426   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01427   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01428   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01429   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01430   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01431   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01432   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01433   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01434   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01435   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01436   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01437   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01438   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01439   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01440   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01441   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01442   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01443   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01444   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01445   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01446   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01447   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01448   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01449   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01450   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01451   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01452   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01453   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01454   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01455   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01456   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=78}, 0x0, ) , 16, 0, ... {status=0x0, info=78}, 0x0, ) == 0x0
 01457   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01458   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01459   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01460   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01461   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01462   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01463   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01464   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01465   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01466   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01467   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01468   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01469   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01470   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01471   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01472   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01473   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01474   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01475   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01476   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01477   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01478   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01479   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01480   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01481   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01482   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01483   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01484   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01485   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01486   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01487   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01488   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01489   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01490   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01491   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01492   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01493   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01494   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01495   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01496   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01497   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01498   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01499   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01500   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01501   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01502   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01503   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01504   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01505   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01506   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01507   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01508   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01509   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01510   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01511   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01512   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01513   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01514   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01515   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01516   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01517   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01518   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01519   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01520   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01521   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01522   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01523   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01524   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01525   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01526   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01527   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01528   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01529   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01530   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01531   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01532   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01533   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01534   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01535   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01536   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01537   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01538   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01539   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01540   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01541   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01542   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01543   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01544   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01545   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01546   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01547   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01548   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01549   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01550   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01551   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01552   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01553   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01554   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01555   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01556   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01557   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01558   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01559   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01560   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01561   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01562   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01563   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01564   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01565   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01566   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01567   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01568   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01569   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01570   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01571   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01572   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01573   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01574   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01575   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01576   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01577   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01578   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01579   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01580   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01581   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01582   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01583   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01584   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01585   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01586   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01587   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01588   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01589   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01590   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01591   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01592   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01593   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01594   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01595   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01596   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01597   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01598   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01599   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01600   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01601   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01602   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01603   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01604   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01605   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01606   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01607   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01608   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01609   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01610   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01611   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01612   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01613   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01614   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01615   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01616   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01617   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01618   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01619   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01620   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01621   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01622   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01623   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01624   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01625   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01626   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01627   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01628   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01629   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01630   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01631   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01632   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01633   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01634   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01635   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01636   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01637   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01638   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01639   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01640   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01641   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01642   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01643   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01644   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01645   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01646   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01647   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01648   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01649   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01650   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01651   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01652   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01653   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01654   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01655   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01656   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01657   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01658   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01659   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01660   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01661   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01662   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01663   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01664   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01665   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01666   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01667   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01668   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01669   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01670   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01671   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01672   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01673   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01674   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01675   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01676   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01677   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01678   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01679   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01680   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01681   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01682   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01683   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01684   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01685   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01686   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01687   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01688   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01689   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01690   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01691   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01692   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01693   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01694   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01695   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01696   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01697   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01698   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01699   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01700   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01701   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01702   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01703   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01704   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01705   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01706   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01707   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01708   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01709   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01710   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01711   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01712   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01713   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01714   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01715   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01716   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01717   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01718   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01719   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01720   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01721   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01722   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01723   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01724   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01725   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01726   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01727   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01728   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01729   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01730   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01731   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01732   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01733   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01734   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01735   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01736   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01737   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01738   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01739   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01740   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01741   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01742   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01743   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01744   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01745   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01746   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01747   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01748   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01749   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01750   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01751   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01752   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01753   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01754   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01755   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01756   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01757   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01758   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01759   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01760   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01761   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01762   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01763   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01764   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01765   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01766   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01767   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01768   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01769   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01770   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01771   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01772   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01773   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01774   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01775   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01776   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01777   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01778   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01779   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01780   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01781   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01782   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01783   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01784   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01785   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01786   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01787   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01788   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01789   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01790   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01791   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01792   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01793   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01794   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01795   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01796   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01797   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01798   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01799   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01800   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01801   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01802   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01803   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01804   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01805   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01806   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01807   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01808   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01809   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01810   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01811   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01812   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01813   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01814   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01815   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01816   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01817   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01818   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01819   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01820   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01821   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01822   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01823   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01824   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01825   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01826   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01827   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01828   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01829   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01830   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01831   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01832   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01833   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01834   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01835   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01836   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01837   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01838   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01839   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01840   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01841   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01842   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01843   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01844   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01845   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01846   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01847   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01848   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01849   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01850   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01851   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01852   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01853   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01854   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01855   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01856   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01857   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01858   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01859   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01860   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01861   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01862   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 01863   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=40}, 0x0, ) , 16, 0, ... {status=0x103, info=40}, 0x0, ) == 0x103
 01864   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x102
 01865   876   NtQuerySystemTime  (... {-1965755560, 29873109}, ) == 0x0
 01866   876   NtWaitForSingleObject  (140, 1, {-1, 2147483647}, ... ) == 0x0
 01867   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 01868   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 01869   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 01129   460   NtUserGetMessage  ... {0x200b2, WM_TIMER, 0x65, 0x0, 0x7530, {512, 384}}, ) == 0x1
 01869   876   NtWaitForSingleObject  ... ) == 0x102
 01870   876   NtQuerySystemTime  (... {-1956224310, 29873109}, ) == 0x0
 01871   876   NtWaitForSingleObject  (140, 1, {-1, 2147483647}, ...
 01872   460   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01873   460   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01874   460   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01875   460   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01876   460   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01877   460   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01878   460   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01879   460   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01880   460   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01881   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01882   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1239992, ... }, 1239992, ...
 01871   876   NtWaitForSingleObject  ... ) == 0x0
 01883   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 01884   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 01882   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01885   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "Secur32.dll"}, 1239992, ... }, 1239992, ...
 01884   876   NtWaitForSingleObject  ... ) == 0x0
 01886   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 01887   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 01885   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01888   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1239992, ... ) }, 1239992, ... ) == 0x0
 01889   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 172, {status=0x0, info=1}, ) }, 5, 96, ... 172, {status=0x0, info=1}, ) == 0x0
 01890   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 172, ... 180, ) == 0x0
 01891   460   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01892   460   NtClose  (172, ... ) == 0x0
 01893   460   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 01894   460   NtClose  (180, ... ) == 0x0
 01895   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 180, ) == 0x0
 01896   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 172, ) == 0x0
 01897   460   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 184, ) }, ... 184, ) == 0x0
 01898   460   NtQueryEvent  (184, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 01899   460   NtClose  (184, ... ) == 0x0
 01900   460   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1241476, 140, ... 184, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1241476, 140, ... 184, 0x0, 0x0, 256, 140, ) == 0x0
 01901   460   NtRequestWaitReplyPort  (184, {28, 52, new_msg, 0, 0, 0, 0, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\260\361\24\0" ... {176, 200, reply, 0, 456, 460, 1607, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 456, 460, 1607, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\260\361\24\0" ... {176, 200, reply, 0, 456, 460, 1607, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 01902   460   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01903   460   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01904   460   NtQueryValueKey  (188,  (188, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01905   460   NtClose  (188, ... ) == 0x0
 01906   460   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01907   460   NtQueryValueKey  (188,  (188, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01908   460   NtClose  (188, ... ) == 0x0
 01909   460   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 188, ) }, ... 188, ) == 0x0
 01910   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01911   460   NtQueryValueKey  (192,  (192, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01912   460   NtClose  (192, ... ) == 0x0
 01913   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 192, ) }, ... 192, ) == 0x0
 01914   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 196, ) }, ... 196, ) == 0x0
 01915   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 200, ) }, ... 200, ) == 0x0
 01916   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 204, ) }, ... 204, ) == 0x0
 01917   460   NtQueryValueKey  (204,  (204, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01918   460   NtQueryValueKey  (204,  (204, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 01919   460   NtClose  (204, ... ) == 0x0
 01920   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 204, ) }, ... 204, ) == 0x0
 01921   460   NtQueryValueKey  (204,  (204, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01922   460   NtQueryValueKey  (204,  (204, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01923   460   NtQueryValueKey  (204,  (204, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01924   460   NtQueryValueKey  (204,  (204, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01925   460   NtQueryValueKey  (204,  (204, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01926   460   NtQueryValueKey  (204,  (204, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (204, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 01927   460   NtClose  (204, ... ) == 0x0
 01928   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "Content"}, ... 204, ) }, ... 204, ) == 0x0
 01929   460   NtQueryValueKey  (204,  (204, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01930   460   NtClose  (204, ... ) == 0x0
 01931   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "Content"}, ... 204, ) }, ... 204, ) == 0x0
 01932   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01933   460   NtCreateSemaphore  (0x1f0003, {24, 52, 0x80, 1374360, 0,  (0x1f0003, {24, 52, 0x80, 1374360, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 208, ) }, 0, 2147483647, ... 208, ) == STATUS_OBJECT_NAME_EXISTS
 01934   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 01935   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 01936   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01937   460   NtQueryValueKey  (212,  (212, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 01938   460   NtClose  (212, ... ) == 0x0
 01939   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1238704, ... ) }, 1238704, ... ) == 0x0
 01940   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01941   460   NtSetValueKey  (212,  (212, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (212, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 01942   460   NtClose  (212, ... ) == 0x0
 01943   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1240036, ... ) }, 1240036, ... ) == 0x0
 01944   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1239768, ... ) }, 1239768, ... ) == 0x0
 01945   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 01946   460   NtSetInformationFile  (212, 1239744, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 01947   460   NtClose  (212, ... ) == 0x0
 01948   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1239768, ... ) }, 1239768, ... ) == 0x0
 01949   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01950   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01951   460   NtQueryValueKey  (204,  (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 01952   460   NtOpenKey  (0xf, {24, 48, 0x40, 0, 0,  (0xf, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 212, ) }, ... 212, ) == 0x0
 01953   460   NtOpenKey  (0xf, {24, 212, 0x40, 0, 0,  (0xf, {24, 212, 0x40, 0, 0, "Paths"}, ... 216, ) }, ... 216, ) == 0x0
 01954   460   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "Path1"}, ... 220, ) }, ... 220, ) == 0x0
 01955   460   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "Path2"}, ... 224, ) }, ... 224, ) == 0x0
 01956   460   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "Path3"}, ... 228, ) }, ... 228, ) == 0x0
 01957   460   NtOpenKey  (0xf, {24, 216, 0x40, 0, 0,  (0xf, {24, 216, 0x40, 0, 0, "Path4"}, ... 232, ) }, ... 232, ) == 0x0
 01958   460   NtOpenKey  (0xf, {24, 212, 0x40, 0, 0,  (0xf, {24, 212, 0x40, 0, 0, "Special Paths"}, ... 236, ) }, ... 236, ) == 0x0
 01959   460   NtSetValueKey  (216,  (216, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (216, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 01960   460   NtSetValueKey  (216,  (216, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (216, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 01961   460   NtSetValueKey  (220,  (220, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (220, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01962   460   NtSetValueKey  (224,  (224, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (224, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01963   460   NtSetValueKey  (228,  (228, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (228, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01964   460   NtSetValueKey  (232,  (232, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (232, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 01965   460   NtSetValueKey  (220,  (220, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (220, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01966   460   NtSetValueKey  (224,  (224, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (224, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01967   460   NtSetValueKey  (228,  (228, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (228, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01968   460   NtSetValueKey  (232,  (232, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (232, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 01969   460   NtClose  (232, ... ) == 0x0
 01970   460   NtClose  (228, ... ) == 0x0
 01971   460   NtClose  (224, ... ) == 0x0
 01972   460   NtClose  (220, ... ) == 0x0
 01973   460   NtClose  (216, ... ) == 0x0
 01974   460   NtClose  (236, ... ) == 0x0
 01975   460   NtClose  (212, ... ) == 0x0
 01976   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "Cookies"}, ... 212, ) }, ... 212, ) == 0x0
 01977   460   NtQueryValueKey  (212,  (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01978   460   NtClose  (212, ... ) == 0x0
 01979   460   NtClose  (204, ... ) == 0x0
 01980   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "Cookies"}, ... 204, ) }, ... 204, ) == 0x0
 01981   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01982   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 01983   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 01984   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01985   460   NtQueryValueKey  (212,  (212, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 01986   460   NtClose  (212, ... ) == 0x0
 01987   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1238704, ... ) }, 1238704, ... ) == 0x0
 01988   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 01989   460   NtSetValueKey  (212,  (212, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (212, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 01990   460   NtClose  (212, ... ) == 0x0
 01991   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1240036, ... ) }, 1240036, ... ) == 0x0
 01992   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01993   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 01994   460   NtQueryValueKey  (204,  (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 01995   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "History"}, ... 212, ) }, ... 212, ) == 0x0
 01996   460   NtQueryValueKey  (212,  (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (212, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01997   460   NtClose  (212, ... ) == 0x0
 01998   460   NtClose  (204, ... ) == 0x0
 01999   460   NtOpenKey  (0xf, {24, 196, 0x40, 0, 0,  (0xf, {24, 196, 0x40, 0, 0, "History"}, ... 204, ) }, ... 204, ) == 0x0
 02000   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02001   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 02002   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 02003   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02004   460   NtQueryValueKey  (212,  (212, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (212, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 02005   460   NtClose  (212, ... ) == 0x0
 02006   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1238704, ... ) }, 1238704, ... ) == 0x0
 02007   460   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 212, 2, ) }, 0, 0x0, 0, ... 212, 2, ) == 0x0
 02008   460   NtSetValueKey  (212,  (212, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (212, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 02009   460   NtClose  (212, ... ) == 0x0
 02010   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1240036, ... ) }, 1240036, ... ) == 0x0
 02011   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1239768, ... ) }, 1239768, ... ) == 0x0
 02012   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 02013   460   NtSetInformationFile  (212, 1239744, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02014   460   NtClose  (212, ... ) == 0x0
 02015   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1239768, ... ) }, 1239768, ... ) == 0x0
 02016   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 02017   460   NtQueryValueKey  (204,  (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (204, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 02018   460   NtQueryValueKey  (204,  (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (204, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02019   460   NtClose  (204, ... ) == 0x0
 02020   460   NtClose  (200, ... ) == 0x0
 02021   460   NtClose  (192, ... ) == 0x0
 02022   460   NtClose  (196, ... ) == 0x0
 02023   460   NtClose  (188, ... ) == 0x0
 02024   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 188, ) }, ... 188, ) == 0x0
 02025   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 196, ) }, ... 196, ) == 0x0
 02026   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02027   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 192, {status=0x0, info=1}, ) }, 3, 8388641, ... 192, {status=0x0, info=1}, ) == 0x0
 02028   460   NtQueryVolumeInformationFile  (192, 1241288, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02029   460   NtClose  (192, ... ) == 0x0
 02030   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 192, {status=0x0, info=1}, ) }, 3, 8388641, ... 192, {status=0x0, info=1}, ) == 0x0
 02031   460   NtQueryVolumeInformationFile  (192, 1241312, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02032   460   NtClose  (192, ... ) == 0x0
 02033   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 02034   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 192, {status=0x0, info=1}, ) }, 7, 2113568, ... 192, {status=0x0, info=1}, ) == 0x0
 02035   460   NtSetInformationFile  (192, 1241616, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02036   460   NtClose  (192, ... ) == 0x0
 02037   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241632,  (0xc0100080, {24, 0, 0x40, 1374360, 1241632, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 02038   460   NtSetInformationFile  (192, 1241684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02039   460   NtQueryInformationFile  (192, 1241684, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02040   460   NtClose  (192, ... ) == 0x0
 02041   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241616,  (0xc0100080, {24, 0, 0x40, 1374360, 1241616, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 192, {status=0x0, info=1}, ) == 0x0
 02042   460   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 200, ) }, ... 200, ) == 0x0
 02043   460   NtMapViewOfSection  (200, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x3f0000), {0, 0}, 32768, ) == 0x0
 02044   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02045   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 204, ) }, ... 204, ) == 0x0
 02046   460   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 02047   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 212, {status=0x0, info=1}, ) }, 3, 8388641, ... 212, {status=0x0, info=1}, ) == 0x0
 02048   460   NtQueryVolumeInformationFile  (212, 1241288, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02049   460   NtClose  (212, ... ) == 0x0
 02050   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 212, {status=0x0, info=1}, ) }, 3, 8388641, ... 212, {status=0x0, info=1}, ) == 0x0
 02051   460   NtQueryVolumeInformationFile  (212, 1241312, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02052   460   NtClose  (212, ... ) == 0x0
 02053   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 02054   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 212, {status=0x0, info=1}, ) }, 7, 2113568, ... 212, {status=0x0, info=1}, ) == 0x0
 02055   460   NtSetInformationFile  (212, 1241616, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02056   460   NtClose  (212, ... ) == 0x0
 02057   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241632,  (0xc0100080, {24, 0, 0x40, 1374360, 1241632, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 02058   460   NtSetInformationFile  (212, 1241684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02059   460   NtQueryInformationFile  (212, 1241684, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02060   460   NtClose  (212, ... ) == 0x0
 02061   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241616,  (0xc0100080, {24, 0, 0x40, 1374360, 1241616, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 212, {status=0x0, info=1}, ) == 0x0
 02062   460   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 236, ) }, ... 236, ) == 0x0
 02063   460   NtMapViewOfSection  (236, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa00000), {0, 0}, 16384, ) == 0x0
 02064   460   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 02065   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 216, ) }, ... 216, ) == 0x0
 02066   460   NtWaitForSingleObject  (216, 0, 0x0, ... ) == 0x0
 02067   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 220, {status=0x0, info=1}, ) }, 3, 8388641, ... 220, {status=0x0, info=1}, ) == 0x0
 02068   460   NtQueryVolumeInformationFile  (220, 1241288, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02069   460   NtClose  (220, ... ) == 0x0
 02070   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 220, {status=0x0, info=1}, ) }, 3, 8388641, ... 220, {status=0x0, info=1}, ) == 0x0
 02071   460   NtQueryVolumeInformationFile  (220, 1241312, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 02072   460   NtClose  (220, ... ) == 0x0
 02073   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241640, ... ) }, 1241640, ... ) == 0x0
 02074   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 220, {status=0x0, info=1}, ) }, 7, 2113568, ... 220, {status=0x0, info=1}, ) == 0x0
 02075   460   NtSetInformationFile  (220, 1241616, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02076   460   NtClose  (220, ... ) == 0x0
 02077   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241632,  (0xc0100080, {24, 0, 0x40, 1374360, 1241632, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 220, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 220, {status=0x0, info=1}, ) == 0x0
 02078   460   NtSetInformationFile  (220, 1241684, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02079   460   NtQueryInformationFile  (220, 1241684, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02080   460   NtClose  (220, ... ) == 0x0
 02081   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1374360, 1241616,  (0xc0100080, {24, 0, 0x40, 1374360, 1241616, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 220, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 220, {status=0x0, info=1}, ) == 0x0
 02082   460   NtOpenSection  (0x2, {24, 52, 0x0, 0, 0,  (0x2, {24, 52, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 224, ) }, ... 224, ) == 0x0
 02083   460   NtMapViewOfSection  (224, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa10000), {0, 0}, 32768, ) == 0x0
 02084   460   NtReleaseMutant  (216, ... 0x0, ) == 0x0
 02085   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1241696, ... ) }, 1241696, ... ) == 0x0
 02086   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 228, {status=0x0, info=1}, ) }, 7, 2113568, ... 228, {status=0x0, info=1}, ) == 0x0
 02087   460   NtSetInformationFile  (228, 1241672, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02088   460   NtClose  (228, ... ) == 0x0
 02089   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1241696, ... ) }, 1241696, ... ) == 0x0
 02090   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1241696, ... ) }, 1241696, ... ) == 0x0
 02091   460   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 228, {status=0x0, info=1}, ) }, 7, 2113568, ... 228, {status=0x0, info=1}, ) == 0x0
 02092   460   NtSetInformationFile  (228, 1241672, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 02093   460   NtClose  (228, ... ) == 0x0
 02094   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1241696, ... ) }, 1241696, ... ) == 0x0
 02095   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02096   460   NtQueryInformationFile  (192, 1240080, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02097   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02098   460   NtOpenKey  (0xf, {24, 60, 0x40, 0, 0,  (0xf, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 228, ) }, ... 228, ) == 0x0
 02099   460   NtOpenKey  (0xf, {24, 228, 0x40, 0, 0,  (0xf, {24, 228, 0x40, 0, 0, "Extensible Cache"}, ... 232, ) }, ... 232, ) == 0x0
 02100   460   NtClose  (228, ... ) == 0x0
 02101   460   NtWaitForSingleObject  (188, 0, {-600000000, -1}, ... ) == 0x0
 02102   460   NtEnumerateKey  (232, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (232, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 02103   460   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "MSHist012007051420070521"}, ... 228, ) }, ... 228, ) == 0x0
 02104   460   NtQueryValueKey  (228,  (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02105   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02106   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02107   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02108   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02109   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02110   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02111   460   NtQueryValueKey  (228,  (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02112   460   NtQueryValueKey  (228,  (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 02113   460   NtClose  (228, ... ) == 0x0
 02114   460   NtEnumerateKey  (232, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (232, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 02115   460   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "MSHist012007052120070528"}, ... 228, ) }, ... 228, ) == 0x0
 02116   460   NtQueryValueKey  (228,  (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02117   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02118   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02119   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02120   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02121   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02122   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02123   460   NtQueryValueKey  (228,  (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02124   460   NtQueryValueKey  (228,  (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 02125   460   NtClose  (228, ... ) == 0x0
 02126   460   NtEnumerateKey  (232, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (232, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 02127   460   NtOpenKey  (0xf, {24, 232, 0x40, 0, 0,  (0xf, {24, 232, 0x40, 0, 0, "MSHist012007053120070601"}, ... 228, ) }, ... 228, ) == 0x0
 02128   460   NtQueryValueKey  (228,  (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02129   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02130   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02131   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 02132   460   NtQueryValueKey  (228,  (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (228, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 02133   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02134   460   NtQueryValueKey  (228,  (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (228, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 02135   460   NtQueryValueKey  (228,  (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 02136   460   NtQueryValueKey  (228,  (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (228, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 02137   460   NtClose  (228, ... ) == 0x0
 02138   460   NtEnumerateKey  (232, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02139   460   NtReleaseMutant  (188, ... 0x0, ) == 0x0
 02140   460   NtClose  (232, ... ) == 0x0
 02141   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02142   460   NtQueryInformationFile  (192, 1242008, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02143   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02144   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02145   460   NtQueryInformationFile  (192, 1242080, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02146   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02147   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02148   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02149   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02150   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02151   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02152   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02153   460   NtQueryValueKey  (232,  (232, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02154   460   NtClose  (232, ... ) == 0x0
 02155   460   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02156   460   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02157   460   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02158   460   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02159   460   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02160   460   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02161   460   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02162   460   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02163   460   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02164   460   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02165   460   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02166   460   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02167   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 232, ) }, ... 232, ) == 0x0
 02168   460   NtQueryValueKey  (232,  (232, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02169   460   NtClose  (232, ... ) == 0x0
 02170   460   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02171   460   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02172   460   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02173   460   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02174   460   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02175   460   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02176   460   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02177   460   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02178   460   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02179   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 232, ) }, ... 232, ) == 0x0
 02180   460   NtQueryValueKey  (232,  (232, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02181   460   NtClose  (232, ... ) == 0x0
 02182   460   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02183   460   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02184   460   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02185   460   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02186   460   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02187   460   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 02188   460   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02189   460   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02190   460   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02191   460   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02192   460   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02193   460   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02194   460   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02195   460   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02196   460   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02197   460   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02198   460   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02199   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetStartupMutex"}, ... 232, ) }, ... 232, ) == 0x0
 02200   460   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 228, ) == 0x0
 02201   460   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02202   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02203   460   NtQueryInformationFile  (192, 1242056, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02204   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02205   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetConnectionMutex"}, ... 240, ) }, ... 240, ) == 0x0
 02206   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 244, ) == 0x0
 02207   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 248, ) }, ... 248, ) == 0x0
 02208   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02209   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02210   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 252, ) }, ... 252, ) == 0x0
 02211   460   NtQueryValueKey  (252,  (252, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02212   460   NtQueryValueKey  (252,  (252, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (252, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 02213   460   NtClose  (252, ... ) == 0x0
 02214   460   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 02215   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 02216   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 02217   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02218   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.DLL"}, 1240444, ... }, 1240444, ...
 01887   876   NtWaitForSingleObject  ... ) == 0x0
 02219   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02220   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02218   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02221   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "RASAPI32.DLL"}, 1240444, ... }, 1240444, ...
 02220   876   NtWaitForSingleObject  ... ) == 0x0
 02222   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02223   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02221   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02224   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 1240444, ... ) }, 1240444, ... ) == 0x0
 02225   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.DLL"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 02226   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 256, ) == 0x0
 02227   460   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02228   460   NtClose  (252, ... ) == 0x0
 02229   460   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 02230   460   NtClose  (256, ... ) == 0x0
 02231   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02232   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1239640, ... }, 1239640, ...
 02223   876   NtWaitForSingleObject  ... ) == 0x0
 02233   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02234   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02232   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02235   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rasman.dll"}, 1239640, ... }, 1239640, ...
 02234   876   NtWaitForSingleObject  ... ) == 0x0
 02236   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02237   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02235   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02238   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1239640, ... ) }, 1239640, ... ) == 0x0
 02239   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 02240   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 256, ... 252, ) == 0x0
 02241   460   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02242   460   NtClose  (256, ... ) == 0x0
 02243   460   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 02244   460   NtClose  (252, ... ) == 0x0
 02245   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02246   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1238836, ... }, 1238836, ...
 02237   876   NtWaitForSingleObject  ... ) == 0x0
 02247   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02248   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02246   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02249   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "NETAPI32.dll"}, 1238836, ... }, 1238836, ...
 02248   876   NtWaitForSingleObject  ... ) == 0x0
 02250   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02251   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02249   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02252   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 02253   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 02254   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 256, ) == 0x0
 02255   460   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02256   460   NtClose  (252, ... ) == 0x0
 02257   460   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 02258   460   NtClose  (256, ... ) == 0x0
 02259   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02260   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1239640, ... }, 1239640, ...
 02251   876   NtWaitForSingleObject  ... ) == 0x0
 02261   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02262   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02260   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02263   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "TAPI32.dll"}, 1239640, ... }, 1239640, ...
 02262   876   NtWaitForSingleObject  ... ) == 0x0
 02264   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02265   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02263   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02266   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1239640, ... ) }, 1239640, ... ) == 0x0
 02267   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 02268   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 256, ... 252, ) == 0x0
 02269   460   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02270   460   NtClose  (256, ... ) == 0x0
 02271   460   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 02272   460   NtClose  (252, ... ) == 0x0
 02273   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02274   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1238836, ... }, 1238836, ...
 02265   876   NtWaitForSingleObject  ... ) == 0x0
 02275   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02276   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02274   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02277   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "rtutils.dll"}, 1238836, ... }, 1238836, ...
 02276   876   NtWaitForSingleObject  ... ) == 0x0
 02278   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02279   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02277   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02280   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 02281   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 252, {status=0x0, info=1}, ) }, 5, 96, ... 252, {status=0x0, info=1}, ) == 0x0
 02282   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 252, ... 256, ) == 0x0
 02283   460   NtQuerySection  (256, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02284   460   NtClose  (252, ... ) == 0x0
 02285   460   NtMapViewOfSection  (256, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 02286   460   NtClose  (256, ... ) == 0x0
 02287   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02288   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1238836, ... }, 1238836, ...
 02279   876   NtWaitForSingleObject  ... ) == 0x0
 02289   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02290   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02288   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02291   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WINMM.dll"}, 1238836, ... }, 1238836, ...
 02290   876   NtWaitForSingleObject  ... ) == 0x0
 02292   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02293   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02291   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02294   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1238836, ... ) }, 1238836, ... ) == 0x0
 02295   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 256, {status=0x0, info=1}, ) }, 5, 96, ... 256, {status=0x0, info=1}, ) == 0x0
 02296   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 256, ... 252, ) == 0x0
 02297   460   NtQuerySection  (252, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02298   460   NtClose  (256, ... ) == 0x0
 02299   460   NtMapViewOfSection  (252, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 02300   460   NtClose  (252, ... ) == 0x0
 02301   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 252, ) == 0x0
 02302   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 256, ) == 0x0
 02303   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 260, ) == 0x0
 02304   460   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 264, ) }, ... 264, ) == 0x0
 02305   460   NtQueryValueKey  (264,  (264, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02306   460   NtQueryValueKey  (264,  (264, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02307   460   NtQueryValueKey  (264,  (264, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02308   460   NtQueryValueKey  (264,  (264, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02309   460   NtQueryValueKey  (264,  (264, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02310   460   NtQueryValueKey  (264,  (264, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02311   460   NtQueryValueKey  (264,  (264, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02312   460   NtQueryValueKey  (264,  (264, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02313   460   NtQueryValueKey  (264,  (264, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02314   460   NtQueryValueKey  (264,  (264, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02315   460   NtQueryValueKey  (264,  (264, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02316   460   NtQueryValueKey  (264,  (264, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02317   460   NtQueryValueKey  (264,  (264, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02318   460   NtQueryValueKey  (264,  (264, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02319   460   NtQueryValueKey  (264,  (264, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02320   460   NtQueryValueKey  (264,  (264, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02321   460   NtQueryValueKey  (264,  (264, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02322   460   NtQueryValueKey  (264,  (264, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02323   460   NtQueryValueKey  (264,  (264, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02324   460   NtQueryValueKey  (264,  (264, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02325   460   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 02326   460   NtQueryValueKey  (264,  (264, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02327   460   NtQueryValueKey  (264,  (264, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02328   460   NtQueryValueKey  (264,  (264, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02329   460   NtQueryValueKey  (264,  (264, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02330   460   NtQueryValueKey  (264,  (264, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02331   460   NtQueryValueKey  (264,  (264, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02332   460   NtQueryValueKey  (264,  (264, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02333   460   NtQueryValueKey  (264,  (264, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02334   460   NtQueryValueKey  (264,  (264, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02335   460   NtQueryValueKey  (264,  (264, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02336   460   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 02337   460   NtOpenKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 268, ) }, ... 268, ) == 0x0
 02338   460   NtQueryValueKey  (268,  (268, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (268, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02339   460   NtClose  (268, ... ) == 0x0
 02340   460   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 0, 0,  (0x1f0003, {24, 52, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 02341   460   NtQueryValueKey  (264,  (264, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02342   460   NtQueryValueKey  (264,  (264, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02343   460   NtQueryValueKey  (264,  (264, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02344   460   NtQueryValueKey  (264,  (264, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02345   460   NtQueryValueKey  (264,  (264, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02346   460   NtQueryValueKey  (264,  (264, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02347   460   NtQueryValueKey  (264,  (264, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02348   460   NtQueryValueKey  (264,  (264, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02349   460   NtQueryValueKey  (264,  (264, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02350   460   NtQueryValueKey  (264,  (264, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02351   460   NtQueryDefaultUILanguage  (1238836, ...
 02352   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02353   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482044, ) == 0x0
 02354   460   NtQueryInformationToken  (-2147482044, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02355   460   NtClose  (-2147482044, ... ) == 0x0
 02356   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 02357   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02358   460   NtOpenKey  (0x80000000, {24, -2147482044, 0x640, 0, 0,  (0x80000000, {24, -2147482044, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 02359   460   NtQueryValueKey  (-2147482048,  (-2147482048, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02360   460   NtClose  (-2147482048, ... ) == 0x0
 02361   460   NtClose  (-2147482044, ... ) == 0x0
 02351   460   NtQueryDefaultUILanguage  ... ) == 0x0
 02362   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02363   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 268, {status=0x0, info=1}, ) }, 1, 96, ... 268, {status=0x0, info=1}, ) == 0x0
 02364   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 268, ... 272, ) == 0x0
 02365   460   NtMapViewOfSection  (272, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa20000), 0x0, 163840, ) == 0x0
 02366   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02367   460   NtQueryDefaultLocale  (1, 1236872, ... ) == 0x0
 02368   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02369   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\14\1\0\0\377\377\377\377\0\0\0\0\360Z\244\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1608, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\14\1\0\0\377\377\377\377\0\0\0\0\360Z\244\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1608, 0}  (24, {128, 156, new_msg, 0, 1237728, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\14\1\0\0\377\377\377\377\0\0\0\0\360Z\244\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1608, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\14\1\0\0\377\377\377\377\0\0\0\0\360Z\244\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\340\351\22\0\0\0\0\0" )  ) == 0x0
 02370   460   NtClose  (268, ... ) == 0x0
 02371   460   NtClose  (272, ... ) == 0x0
 02372   460   NtUnmapViewOfSection  (-1, 0xa20000, ... ) == 0x0
 02373   460   NtUnmapViewOfSection  (-1, 0x12e9e0, ... ) == STATUS_NOT_MAPPED_VIEW
 02374   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02375   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02376   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02377   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02378   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1235956, ... }, 1235956, ...
 02293   876   NtWaitForSingleObject  ... ) == 0x0
 02379   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02380   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02378   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02381   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02382   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02383   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02384   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 02385   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 272, {status=0x0, info=1}, ) }, 3, 33, ... 272, {status=0x0, info=1}, ) == 0x0
 02386   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02387   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 268, ) }, ... 268, ) == 0x0
 02388   460   NtQueryValueKey  (268,  (268, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02389   460   NtQueryValueKey  (268,  (268, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02390   460   NtClose  (268, ... ) == 0x0
 02391   460   NtCreateMutant  (0x1f0001, 0x0, 0, ... 268, ) == 0x0
 02392   460   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 1392200, 0,  (0x1f0001, {24, 52, 0x80, 1392200, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 02393   460   NtOpenMutant  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "RasPbFile"}, ... 276, ) }, ... 276, ) == 0x0
 02394   460   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 280, ) == 0x0
 02395   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 284, ) == 0x0
 02396   460   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 288, ) == 0x0
 02397   460   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 02398   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 292, ) == 0x0
 02399   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 296, ) == 0x0
 02400   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 300, ) == 0x0
 02401   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 304, ) == 0x0
 02402   460   NtCreateKey  (0xf003f, {24, 48, 0x40, 0, 0,  (0xf003f, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 308, 2, ) }, 0, 0x0, 0, ... 308, 2, ) == 0x0
 02403   460   NtQueryValueKey  (308,  (308, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (308, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02404   460   NtClose  (308, ... ) == 0x0
 02405   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 308, ) == 0x0
 02406   460   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 312, ) == 0x0
 02407   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 316, ) }, ... 316, ) == 0x0
 02408   460   NtQueryValueKey  (316,  (316, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02409   460   NtQueryValueKey  (316,  (316, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02410   460   NtQueryValueKey  (316,  (316, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02411   460   NtQueryValueKey  (316,  (316, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02412   460   NtQueryValueKey  (316,  (316, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 02413   460   NtQueryValueKey  (316,  (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02414   460   NtQueryValueKey  (316,  (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02415   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 320, ) == 0x0
 02416   460   NtNotifyChangeKey  (316, 320, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 02417   460   NtQueryValueKey  (316,  (316, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02418   460   NtQueryValueKey  (316,  (316, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02419   460   NtQueryValueKey  (316,  (316, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02420   460   NtQueryValueKey  (316,  (316, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 02421   460   NtQueryValueKey  (316,  (316, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (316, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 02422   460   NtQueryValueKey  (316,  (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02423   460   NtQueryValueKey  (316,  (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (316, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 02424   460   NtNotifyChangeKey  (316, 320, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 02425   460   NtSetEvent  (304, ... 0x0, ) == 0x0
 02426   460   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 324, ) }, ... 324, ) == 0x0
 02427   460   NtWaitForSingleObject  (324, 0, {-1800000000, -1}, ... ) == 0x0
 02428   460   NtClose  (324, ... ) == 0x0
 02429   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 324, ) == 0x0
 02430   460   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 328, ) == 0x0
 02431   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 332, ) }, ... 332, ) == 0x0
 02432   460   NtOpenKey  (0x20019, {24, 332, 0x40, 0, 0,  (0x20019, {24, 332, 0x40, 0, 0, "ActiveComputerName"}, ... 336, ) }, ... 336, ) == 0x0
 02433   460   NtQueryValueKey  (336,  (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (336, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02434   460   NtClose  (336, ... ) == 0x0
 02435   460   NtClose  (332, ... ) == 0x0
 02436   460   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 332, ) == 0x0
 02437   460   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 336, ) == 0x0
 02438   460   NtDuplicateObject  (-1, 332, -1, 0x0, 0, 2, ... 340, ) == 0x0
 02439   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02440   460   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 02441   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 02442   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02443   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02444   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240604,  (0xc0100080, {24, 0, 0x40, 0, 1240604, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 348, {status=0x0, info=1}, ) == 0x0
 02445   460   NtSetInformationFile  (348, 1240660, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02446   460   NtSetInformationFile  (348, 1240652, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02447   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02448   460   NtWriteFile  (348, 325, 0, 0,  (348, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02449   460   NtReadFile  (348, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (348, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\361"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02450   460   NtFsControlFile  (348, 325, 0x0, 0x0, 0x11c017,  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\361"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\361"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02451   460   NtFsControlFile  (348, 325, 0x0, 0x0, 0x11c017,  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02452   460   NtFsControlFile  (348, 325, 0x0, 0x0, 0x11c017,  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02453   460   NtFsControlFile  (348, 325, 0x0, 0x0, 0x11c017,  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\03\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02454   460   NtFsControlFile  (348, 325, 0x0, 0x0, 0x11c017,  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (348, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\02\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 02455   460   NtClose  (344, ... ) == 0x0
 02456   460   NtClose  (348, ... ) == 0x0
 02457   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 02458   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02459   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02460   460   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02461   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02462   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02463   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02464   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02465   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238108,  (0xc0100080, {24, 0, 0x40, 0, 1238108, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02466   460   NtSetInformationFile  (344, 1238164, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02467   460   NtSetInformationFile  (344, 1238156, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02468   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02469   460   NtWriteFile  (344, 325, 0, 0,  (344, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02470   460   NtReadFile  (344, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (344, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20=!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02471   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20=!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20=!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02472   460   NtClose  (348, ... ) == 0x0
 02473   460   NtClose  (344, ... ) == 0x0
 02474   460   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 344, 2, ) }, 0, 0x0, 0, ... 344, 2, ) == 0x0
 02475   460   NtCreateKey  (0x20019, {24, 344, 0x40, 0, 0,  (0x20019, {24, 344, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 348, 2, ) }, 0, 0x0, 0, ... 348, 2, ) == 0x0
 02476   460   NtClose  (344, ... ) == 0x0
 02477   460   NtQueryValueKey  (348,  (348, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02478   460   NtClose  (348, ... ) == 0x0
 02479   460   NtOpenEvent  (0x100000, {24, 52, 0x0, 0, 0,  (0x100000, {24, 52, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 348, ) }, ... 348, ) == 0x0
 02480   460   NtWaitForSingleObject  (348, 0, {-1800000000, -1}, ... ) == 0x0
 02481   460   NtClose  (348, ... ) == 0x0
 02482   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02483   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 348, ) == 0x0
 02484   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02485   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02486   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1240192,  (0xc0100080, {24, 0, 0x40, 0, 1240192, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 344, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 344, {status=0x0, info=1}, ) == 0x0
 02487   460   NtSetInformationFile  (344, 1240248, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02488   460   NtSetInformationFile  (344, 1240240, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02489   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02490   460   NtWriteFile  (344, 325, 0, 0,  (344, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02491   460   NtReadFile  (344, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (344, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 02492   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20\362"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 02493   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02494   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 02495   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 02496   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 02497   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0L\365\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 02498   460   NtFsControlFile  (344, 325, 0x0, 0x0, 0x11c017,  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (344, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\04\341\221\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 02499   460   NtClose  (348, ... ) == 0x0
 02500   460   NtClose  (344, ... ) == 0x0
 02501   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02502   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 1240452, ... }, 1240452, ...
 02380   876   NtWaitForSingleObject  ... ) == 0x0
 02503   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02504   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02502   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02505   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "sensapi.dll"}, 1240452, ... }, 1240452, ...
 02504   876   NtWaitForSingleObject  ... ) == 0x0
 02506   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 02507   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 02505   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02508   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 1240452, ... ) }, 1240452, ... ) == 0x0
 02509   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 344, {status=0x0, info=1}, ) }, 5, 96, ... 344, {status=0x0, info=1}, ) == 0x0
 02510   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 344, ... 348, ) == 0x0
 02511   460   NtQuerySection  (348, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 02512   460   NtClose  (344, ... ) == 0x0
 02513   460   NtMapViewOfSection  (348, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 02514   460   NtClose  (348, ... ) == 0x0
 02515   460   NtOpenSection  (0x4, {24, 52, 0x0, 0, 0,  (0x4, {24, 52, 0x0, 0, 0, "SENS Information Cache"}, ... 348, ) }, ... 348, ) == 0x0
 02516   460   NtMapViewOfSection  (348, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0xa20000), {0, 0}, 4096, ) == 0x0
 02517   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 344, ) == 0x0
 02518   460   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 1240916, 112, ... 352, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1240916, 112, ... 352, 0x0, 0x0, 0x0, 112, ) == 0x0
 02519   460   NtRequestWaitReplyPort  (352, {128, 152, new_msg, 0, 1310720, 126248, 1310720, 1240680}  (352, {128, 152, new_msg, 0, 1310720, 126248, 1310720, 1240680} "\0$\370w\30\365\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0 H\25\0\4\0\0\0 H\25\0\20\344\314w H\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1610, 0} "\7$\370w\30\365\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 H\25\0\377\377\377\377 H\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1610, 0}  (352, {128, 152, new_msg, 0, 1310720, 126248, 1310720, 1240680} "\0$\370w\30\365\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0 H\25\0\4\0\0\0 H\25\0\20\344\314w H\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1610, 0} "\7$\370w\30\365\22\0\2$\370w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0 H\25\0\377\377\377\377 H\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\0\320V\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360\375\177\5\0\0\0" )  ) == 0x0
 02520   460   NtRequestWaitReplyPort  (352, {32, 56, new_msg, 0, 44, 7, 20, 0}  (352, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 456, 460, 1611, 0} "\28\0\0\1\0\210\200`\11\31\201&\3\0\0C\6O\200&\3\0\0`\11\31\201\0\0x\1\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\239\341\0\0\0\0\377\377{\1\340\333\2\370\277\6O\200\24\00\300\340\333\2\370X\5O\200\0\0x\1\0\0\0\0\0\0\0\0\10\315/\201\220\323\23\201\1\0\0\0\0\0\0\0\0^\0\300\3674W\200\275\11\31\201" )  ... {124, 148, reply, 0, 456, 460, 1611, 0}  (352, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\310?\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 456, 460, 1611, 0} "\28\0\0\1\0\210\200`\11\31\201&\3\0\0C\6O\200&\3\0\0`\11\31\201\0\0x\1\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\239\341\0\0\0\0\377\377{\1\340\333\2\370\277\6O\200\24\00\300\340\333\2\370X\5O\200\0\0x\1\0\0\0\0\0\0\0\0\10\315/\201\220\323\23\201\1\0\0\0\0\0\0\0\0^\0\300\3674W\200\275\11\31\201" )  ) == 0x0
 02521   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 02522   460   NtQueryInformationFile  (192, 1242024, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02523   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 02524   460   NtRequestWaitReplyPort  (184, {28, 52, new_msg, 0, 0, 0, 0, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\20Z\25\0" ... {176, 200, reply, 0, 456, 460, 1612, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 456, 460, 1612, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\20Z\25\0" ... {176, 200, reply, 0, 456, 460, 1612, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02525   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02526   460   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02527   460   NtOpenProcessToken  (-1, 0x20008, ... 356, ) == 0x0
 02528   460   NtQueryInformationToken  (356, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02529   460   NtClose  (356, ... ) == 0x0
 02530   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 356, ) }, ... 356, ) == 0x0
 02531   460   NtSetInformationObject  (356, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02532   460   NtOpenKey  (0x3, {24, 356, 0x40, 0, 0,  (0x3, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 360, ) }, ... 360, ) == 0x0
 02533   460   NtOpenKey  (0x1, {24, 360, 0x40, 0, 0,  (0x1, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 364, ) }, ... 364, ) == 0x0
 02534   460   NtQueryValueKey  (364,  (364, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02535   460   NtClose  (364, ... ) == 0x0
 02536   460   NtAllocateVirtualMemory  (-1, 1400832, 0, 20480, 4096, 4, ... 1400832, 20480, ) == 0x0
 02537   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02538   460   NtOpenProcessToken  (-1, 0xc, ... 364, ) == 0x0
 02539   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 02540   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 02541   460   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 368, 2, ) }, 0, 0x0, 0, ... 368, 2, ) == 0x0
 02542   460   NtQueryValueKey  (368,  (368, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 02543   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 372, ) }, ... 372, ) == 0x0
 02544   460   NtMapViewOfSection  (372, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 02545   460   NtClose  (372, ... ) == 0x0
 02546   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 372, ) }, ... 372, ) == 0x0
 02547   460   NtQueryValueKey  (372,  (372, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02548   460   NtClose  (372, ... ) == 0x0
 02549   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 372, ) }, ... 372, ) == 0x0
 02550   460   NtQueryValueKey  (372,  (372, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02551   460   NtClose  (372, ... ) == 0x0
 02552   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 372, ) }, ... 372, ) == 0x0
 02553   460   NtQueryValueKey  (372,  (372, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (372, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 02554   460   NtClose  (372, ... ) == 0x0
 02555   460   NtCreateEvent  (0x1f0003, {24, 52, 0x80, 1237236, 0,  (0x1f0003, {24, 52, 0x80, 1237236, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 372, ) }, 0, 1, ... 372, ) == STATUS_OBJECT_NAME_EXISTS
 02556   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02557   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02558   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02559   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02560   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02561   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02562   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02563   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02564   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02565   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02566   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02567   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02568   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02569   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02570   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02571   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02572   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02573   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02574   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02575   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02576   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02577   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02578   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02579   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02580   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02581   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02582   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02583   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 376, ) == 0x0
 02584   460   NtQueryInformationToken  (376, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02585   460   NtClose  (376, ... ) == 0x0
 02586   460   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02587   460   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 380, ) }, ... 380, ) == 0x0
 02588   460   NtQueryValueKey  (380,  (380, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (380, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 02589   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02590   460   NtQueryValueKey  (380,  (380, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (380, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 02591   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02592   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02593   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02594   460   NtQueryDefaultLocale  (1, 1235072, ... ) == 0x0
 02595   460   NtClose  (380, ... ) == 0x0
 02596   460   NtClose  (376, ... ) == 0x0
 02597   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 376, ) }, ... 376, ) == 0x0
 02598   460   NtQueryValueKey  (376,  (376, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02599   460   NtClose  (376, ... ) == 0x0
 02600   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 376, ) }, ... 376, ) == 0x0
 02601   460   NtQueryValueKey  (376,  (376, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02602   460   NtQueryValueKey  (376,  (376, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02603   460   NtClose  (376, ... ) == 0x0
 02604   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02605   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 376, ) }, ... 376, ) == 0x0
 02606   460   NtQueryValueKey  (376,  (376, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02607   460   NtClose  (376, ... ) == 0x0
 02608   460   NtOpenKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02609   460   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10682368, 4096, ) == 0x0
 02610   460   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ... 1421312, 4096, ) == 0x0
 02611   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02612   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02613   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02614   460   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02615   460   NtClose  (376, ... ) == 0x0
 02616   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02617   460   NtQueryValueKey  (376,  (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02618   460   NtClose  (376, ... ) == 0x0
 02619   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02620   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 376, ) }, ... 376, ) == 0x0
 02621   460   NtQueryKey  (376, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02622   460   NtQuerySecurityObject  (376, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02623   460   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02624   460   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02625   460   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02626   460   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02627   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02628   460   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02629   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02630   460   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02631   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02632   460   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02633   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02634   460   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02635   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02636   460   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02637   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02638   460   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02639   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02640   460   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02641   460   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02642   460   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02643   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02644   460   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02645   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02646   460   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02647   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02648   460   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02649   460   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02650   460   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02651   460   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02652   460   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02653   460   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02654   460   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02655   460   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02656   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02657   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02658   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238160, ... ) }, 1238160, ... ) == 0x0
 02659   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02660   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02661   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02662   460   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02663   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02664   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02665   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238160, ... ) }, 1238160, ... ) == 0x0
 02666   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02667   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02668   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02669   460   NtClose  (376, ... ) == 0x0
 02670   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 02671   460   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 380, ) }, ... 380, ) == 0x0
 02672   460   NtQueryValueKey  (380,  (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (380, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02673   460   NtClose  (380, ... ) == 0x0
 02674   460   NtClose  (376, ... ) == 0x0
 02675   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02676   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02677   460   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02678   460   NtClose  (376, ... ) == 0x0
 02679   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02680   460   NtQueryValueKey  (376,  (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02681   460   NtClose  (376, ... ) == 0x0
 02682   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02683   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 376, ) }, ... 376, ) == 0x0
 02684   460   NtQueryValueKey  (376,  (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02685   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02686   460   NtQueryValueKey  (376,  (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02687   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02688   460   NtClose  (376, ... ) == 0x0
 02689   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02690   460   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02691   460   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02692   460   NtQueryInformationToken  (364, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02693   460   NtDuplicateToken  (364, 0xc, {24, 0, 0x0, 0, 1239544, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02694   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02695   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02696   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02697   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02698   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02699   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237748,  (0xc0100080, {24, 0, 0x40, 0, 1237748, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02700   460   NtSetInformationFile  (384, 1237804, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02701   460   NtSetInformationFile  (384, 1237796, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02702   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02703   460   NtWriteFile  (384, 325, 0, 0,  (384, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02704   460   NtReadFile  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20>!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02705   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20>!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20>!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02706   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\340\351\22\0\1\0\0\0\350\263\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\340\351\22\0\1\0\0\0\350\263\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02707   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\300~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02708   460   NtClose  (380, ... ) == 0x0
 02709   460   NtClose  (384, ... ) == 0x0
 02710   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02711   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 384, ) == 0x0
 02712   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02713   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02714   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237744,  (0xc0100080, {24, 0, 0x40, 0, 1237744, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 02715   460   NtSetInformationFile  (380, 1237800, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02716   460   NtSetInformationFile  (380, 1237792, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02717   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02718   460   NtWriteFile  (380, 325, 0, 0,  (380, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02719   460   NtReadFile  (380, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (380, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20?!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02720   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20?!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20?!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02721   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\351\22\0\1\0\0\0\350\263\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\351\22\0\1\0\0\0\350\263\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02722   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\301~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02723   460   NtClose  (384, ... ) == 0x0
 02724   460   NtClose  (380, ... ) == 0x0
 02725   460   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02727   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02728   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02729   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02730   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237376,  (0xc0100080, {24, 0, 0x40, 0, 1237376, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02731   460   NtSetInformationFile  (384, 1237432, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02732   460   NtSetInformationFile  (384, 1237424, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02733   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02734   460   NtWriteFile  (384, 325, 0, 0,  (384, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02735   460   NtReadFile  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02736   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20@!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02737   460   NtClose  (380, ... ) == 0x0
 02738   460   NtClose  (384, ... ) == 0x0
 02739   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02740   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02741   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02742   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 384, ) }, ... 384, ) == 0x0
 02743   460   NtQueryValueKey  (384,  (384, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (384, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02744   460   NtClose  (384, ... ) == 0x0
 02745   460   NtCreateKey  (0x2001f, {24, 376, 0x40, 0, 0,  (0x2001f, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 384, 2, ) }, 0, 0x0, 0, ... 384, 2, ) == 0x0
 02746   460   NtQueryValueKey  (384,  (384, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (384, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02747   460   NtClose  (384, ... ) == 0x0
 02748   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02749   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02750   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1239448, ... ) }, 1239448, ... ) == 0x0
 02751   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239456,  (0x80100080, {24, 0, 0x40, 0, 1239456, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02752   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02753   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02754   460   NtQueryInformationFile  (384, 1239472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02755   460   NtReadFile  (384, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02756   460   NtClose  (384, ... ) == 0x0
 02757   460   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Environment"}, ... 384, ) }, ... 384, ) == 0x0
 02758   460   NtAllocateVirtualMemory  (-1, 1425408, 0, 12288, 4096, 4, ... 1425408, 12288, ) == 0x0
 02759   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02760   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02761   460   NtEnumerateValueKey  (384, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02762   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02763   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02764   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02765   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238188, ... ) }, 1238188, ... ) == 0x0
 02766   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02767   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02768   460   NtClose  (380, ... ) == 0x0
 02769   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02770   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02771   460   NtClose  (380, ... ) == 0x0
 02772   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02773   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02774   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02775   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02776   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02777   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02778   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238188, ... ) }, 1238188, ... ) == 0x0
 02779   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02780   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02781   460   NtClose  (380, ... ) == 0x0
 02782   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02783   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02784   460   NtClose  (380, ... ) == 0x0
 02785   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02786   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02787   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02788   460   NtEnumerateValueKey  (384, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02789   460   NtClose  (384, ... ) == 0x0
 02790   460   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Volatile Environment"}, ... 384, ) }, ... 384, ) == 0x0
 02791   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02792   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02793   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02794   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02795   460   NtEnumerateValueKey  (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02796   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02797   460   NtEnumerateValueKey  (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02798   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02799   460   NtEnumerateValueKey  (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02800   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02801   460   NtEnumerateValueKey  (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02802   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02803   460   NtEnumerateValueKey  (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02804   460   NtEnumerateValueKey  (384, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02805   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02806   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02807   460   NtEnumerateValueKey  (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02808   460   NtEnumerateValueKey  (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02809   460   NtEnumerateValueKey  (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02810   460   NtEnumerateValueKey  (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02811   460   NtEnumerateValueKey  (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02812   460   NtEnumerateValueKey  (384, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02813   460   NtClose  (384, ... ) == 0x0
 02814   460   NtClose  (376, ... ) == 0x0
 02815   460   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 02816   460   NtClose  (368, ... ) == 0x0
 02817   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 1240112, ... ) }, 1240112, ... ) == 0x0
 02818   460   NtCreateKey  (0x2000000, {24, 48, 0x40, 0, 0,  (0x2000000, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 368, 2, ) }, 0, 0x0, 0, ... 368, 2, ) == 0x0
 02819   460   NtSetValueKey  (368,  (368, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (368, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 02820   460   NtClose  (368, ... ) == 0x0
 02821   460   NtClose  (364, ... ) == 0x0
 02822   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02823   460   NtQueryDirectoryFile  (364, 0, 0, 0, 1239088, 616, BothDirectory, 1,  (364, 0, 0, 0, 1239088, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02824   460   NtClose  (364, ... ) == 0x0
 02825   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 364, {status=0x0, info=1}, ) }, 3, 16417, ... 364, {status=0x0, info=1}, ) == 0x0
 02826   460   NtQueryDirectoryFile  (364, 0, 0, 0, 1239088, 616, BothDirectory, 1,  (364, 0, 0, 0, 1239088, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02827   460   NtClose  (364, ... ) == 0x0
 02828   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02829   460   NtOpenProcessToken  (-1, 0xc, ... 364, ) == 0x0
 02830   460   NtQueryInformationToken  (364, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02831   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 368, ) }, ... 368, ) == 0x0
 02832   460   NtCreateKey  (0x2000000, {24, 368, 0x40, 0, 0,  (0x2000000, {24, 368, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02833   460   NtClose  (368, ... ) == 0x0
 02834   460   NtQueryValueKey  (376,  (376, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02835   460   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10682368, 4096, ) == 0x0
 02836   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02837   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02838   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 368, ) }, ... 368, ) == 0x0
 02839   460   NtQueryValueKey  (368,  (368, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02840   460   NtClose  (368, ... ) == 0x0
 02841   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 368, ) }, ... 368, ) == 0x0
 02842   460   NtQueryValueKey  (368,  (368, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02843   460   NtClose  (368, ... ) == 0x0
 02844   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02845   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 368, ) }, ... 368, ) == 0x0
 02846   460   NtQueryKey  (368, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02847   460   NtQuerySecurityObject  (368, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02848   460   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02849   460   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02850   460   NtEnumerateValueKey  (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02851   460   NtEnumerateValueKey  (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02852   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02853   460   NtEnumerateValueKey  (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02854   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02855   460   NtEnumerateValueKey  (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02856   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02857   460   NtEnumerateValueKey  (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02858   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02859   460   NtEnumerateValueKey  (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02860   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02861   460   NtEnumerateValueKey  (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02862   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02863   460   NtEnumerateValueKey  (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02864   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02865   460   NtEnumerateValueKey  (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02866   460   NtEnumerateValueKey  (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02867   460   NtEnumerateValueKey  (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (368, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02868   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02869   460   NtEnumerateValueKey  (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (368, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02870   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02871   460   NtEnumerateValueKey  (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (368, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02872   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02873   460   NtEnumerateValueKey  (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (368, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02874   460   NtEnumerateValueKey  (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (368, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02875   460   NtEnumerateValueKey  (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (368, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02876   460   NtEnumerateValueKey  (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (368, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02877   460   NtEnumerateValueKey  (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (368, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02878   460   NtEnumerateValueKey  (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (368, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02879   460   NtEnumerateValueKey  (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (368, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02880   460   NtEnumerateValueKey  (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (368, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02881   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02882   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02883   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238160, ... ) }, 1238160, ... ) == 0x0
 02884   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02885   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02886   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02887   460   NtEnumerateValueKey  (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (368, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02888   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02889   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02890   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238160, ... ) }, 1238160, ... ) == 0x0
 02891   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02892   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02893   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02894   460   NtClose  (368, ... ) == 0x0
 02895   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 368, ) }, ... 368, ) == 0x0
 02896   460   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "ActiveComputerName"}, ... 384, ) }, ... 384, ) == 0x0
 02897   460   NtQueryValueKey  (384,  (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (384, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02898   460   NtClose  (384, ... ) == 0x0
 02899   460   NtClose  (368, ... ) == 0x0
 02900   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02901   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 368, ) }, ... 368, ) == 0x0
 02902   460   NtQueryValueKey  (368,  (368, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02903   460   NtClose  (368, ... ) == 0x0
 02904   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 368, ) }, ... 368, ) == 0x0
 02905   460   NtQueryValueKey  (368,  (368, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02906   460   NtClose  (368, ... ) == 0x0
 02907   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02908   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 368, ) }, ... 368, ) == 0x0
 02909   460   NtQueryValueKey  (368,  (368, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02910   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02911   460   NtQueryValueKey  (368,  (368, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (368, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02912   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02913   460   NtClose  (368, ... ) == 0x0
 02914   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02915   460   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 368, ) }, ... 368, ) == 0x0
 02916   460   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02917   460   NtQueryInformationToken  (364, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02918   460   NtDuplicateToken  (364, 0xc, {24, 0, 0x0, 0, 1239544, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02919   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02920   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02921   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 384, ) == 0x0
 02922   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02923   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02924   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237748,  (0xc0100080, {24, 0, 0x40, 0, 1237748, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 02925   460   NtSetInformationFile  (380, 1237804, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02926   460   NtSetInformationFile  (380, 1237796, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02927   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02928   460   NtWriteFile  (380, 325, 0, 0,  (380, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02929   460   NtReadFile  (380, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (380, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02930   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\250\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20A!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02931   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\340\351\22\0\1\0\0\0x\264\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\340\351\22\0\1\0\0\0x\264\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02932   460   NtFsControlFile  (380, 325, 0x0, 0x0, 0x11c017,  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (380, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\302~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02933   460   NtClose  (384, ... ) == 0x0
 02934   460   NtClose  (380, ... ) == 0x0
 02935   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02936   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 02937   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02938   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02939   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1237744,  (0xc0100080, {24, 0, 0x40, 0, 1237744, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02940   460   NtSetInformationFile  (384, 1237800, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02941   460   NtSetInformationFile  (384, 1237792, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02942   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02943   460   NtWriteFile  (384, 325, 0, 0,  (384, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02944   460   NtReadFile  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (384, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02945   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\351\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20B!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02946   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\351\22\0\1\0\0\0x\264\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\351\22\0\1\0\0\0x\264\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02947   460   NtFsControlFile  (384, 325, 0x0, 0x0, 0x11c017,  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (384, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\303~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02948   460   NtClose  (380, ... ) == 0x0
 02949   460   NtClose  (384, ... ) == 0x0
 02950   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02951   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02952   460   NtQueryInformationToken  (364, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02953   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 384, ) }, ... 384, ) == 0x0
 02954   460   NtQueryValueKey  (384,  (384, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (384, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02955   460   NtClose  (384, ... ) == 0x0
 02956   460   NtCreateKey  (0x2001f, {24, 368, 0x40, 0, 0,  (0x2001f, {24, 368, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 384, 2, ) }, 0, 0x0, 0, ... 384, 2, ) == 0x0
 02957   460   NtQueryValueKey  (384,  (384, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (384, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02958   460   NtClose  (384, ... ) == 0x0
 02959   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02960   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02961   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1239448, ... ) }, 1239448, ... ) == 0x0
 02962   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1239456,  (0x80100080, {24, 0, 0x40, 0, 1239456, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 384, {status=0x0, info=1}, ) == 0x0
 02963   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02964   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02965   460   NtQueryInformationFile  (384, 1239472, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02966   460   NtReadFile  (384, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02967   460   NtClose  (384, ... ) == 0x0
 02968   460   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Environment"}, ... 384, ) }, ... 384, ) == 0x0
 02969   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02970   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02971   460   NtEnumerateValueKey  (384, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02972   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02973   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02974   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02975   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238188, ... ) }, 1238188, ... ) == 0x0
 02976   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02977   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02978   460   NtClose  (380, ... ) == 0x0
 02979   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02980   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02981   460   NtClose  (380, ... ) == 0x0
 02982   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02983   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02984   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02985   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02986   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02987   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02988   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238188, ... ) }, 1238188, ... ) == 0x0
 02989   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02990   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02991   460   NtClose  (380, ... ) == 0x0
 02992   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02993   460   NtQueryDirectoryFile  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1,  (380, 0, 0, 0, 1237548, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02994   460   NtClose  (380, ... ) == 0x0
 02995   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02996   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02997   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02998   460   NtEnumerateValueKey  (384, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02999   460   NtClose  (384, ... ) == 0x0
 03000   460   NtOpenKey  (0x20019, {24, 368, 0x40, 0, 0,  (0x20019, {24, 368, 0x40, 0, 0, "Volatile Environment"}, ... 384, ) }, ... 384, ) == 0x0
 03001   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03002   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03003   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03004   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03005   460   NtEnumerateValueKey  (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03006   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03007   460   NtEnumerateValueKey  (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03008   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03009   460   NtEnumerateValueKey  (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03010   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03011   460   NtEnumerateValueKey  (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03012   460   NtQueryVirtualMemory  (-1, 0xa30000, Basic, 28, ... {BaseAddress=0xa30000,AllocationBase=0xa30000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03013   460   NtEnumerateValueKey  (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03014   460   NtEnumerateValueKey  (384, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03015   460   NtEnumerateValueKey  (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (384, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03016   460   NtEnumerateValueKey  (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (384, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03017   460   NtEnumerateValueKey  (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (384, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03018   460   NtEnumerateValueKey  (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (384, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03019   460   NtEnumerateValueKey  (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (384, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03020   460   NtEnumerateValueKey  (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (384, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03021   460   NtEnumerateValueKey  (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (384, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03022   460   NtEnumerateValueKey  (384, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03023   460   NtClose  (384, ... ) == 0x0
 03024   460   NtClose  (368, ... ) == 0x0
 03025   460   NtFreeVirtualMemory  (-1, (0xa30000), 0, 32768, ... (0xa30000), 4096, ) == 0x0
 03026   460   NtClose  (376, ... ) == 0x0
 03027   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240112, ... ) }, 1240112, ... ) == 0x0
 03028   460   NtQueryInformationToken  (364, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03029   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 03030   460   NtCreateKey  (0x2000000, {24, 376, 0x40, 0, 0,  (0x2000000, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 368, 2, ) }, 0, 0x0, 0, ... 368, 2, ) == 0x0
 03031   460   NtClose  (376, ... ) == 0x0
 03032   460   NtSetValueKey  (368,  (368, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (368, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03033   460   NtClose  (368, ... ) == 0x0
 03034   460   NtClose  (364, ... ) == 0x0
 03035   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03036   460   NtCreateKey  (0x2, {24, 360, 0x40, 0, 0,  (0x2, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 364, 2, ) }, 0, "", 0, ... 364, 2, ) == 0x0
 03037   460   NtSetValueKey  (364,  (364, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (364, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03038   460   NtClose  (364, ... ) == 0x0
 03039   460   NtOpenKey  (0x20019, {24, 360, 0x40, 0, 0,  (0x20019, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 364, ) }, ... 364, ) == 0x0
 03040   460   NtQueryValueKey  (364,  (364, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (364, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03041   460   NtQueryValueKey  (364,  (364, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03042   460   NtQueryValueKey  (364,  (364, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03043   460   NtQueryValueKey  (364,  (364, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03044   460   NtClose  (364, ... ) == 0x0
 03045   460   NtWaitForSingleObject  (248, 0, 0x0, ... ) == 0x0
 03046   460   NtCreateKey  (0x1, {24, 360, 0x40, 0, 0,  (0x1, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 364, 2, ) }, 0, "", 0, ... 364, 2, ) == 0x0
 03047   460   NtQueryValueKey  (364,  (364, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03048   460   NtQueryValueKey  (364,  (364, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03049   460   NtReleaseMutant  (248, ... 0x0, ) == 0x0
 03050   460   NtClose  (364, ... ) == 0x0
 03051   460   NtWaitForSingleObject  (248, 0, 0x0, ... ) == 0x0
 03052   460   NtCreateKey  (0x1, {24, 360, 0x40, 0, 0,  (0x1, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 364, 2, ) }, 0, "", 0, ... 364, 2, ) == 0x0
 03053   460   NtQueryValueKey  (364,  (364, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03054   460   NtQueryValueKey  (364,  (364, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (364, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03055   460   NtReleaseMutant  (248, ... 0x0, ) == 0x0
 03056   460   NtClose  (364, ... ) == 0x0
 03057   460   NtWaitForSingleObject  (228, 0, 0x0, ... ) == 0x0
 03058   460   NtClearEvent  (228, ... ) == 0x0
 03059   460   NtSetEvent  (228, ... 0x0, ) == 0x0
 03060   460   NtCreateKey  (0x20006, {24, 360, 0x40, 0, 0,  (0x20006, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 364, 2, ) }, 0, "", 0, ... 364, 2, ) == 0x0
 03061   460   NtSetValueKey  (364,  (364, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (364, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03062   460   NtDeleteValueKey  (364,  (364, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03063   460   NtDeleteValueKey  (364,  (364, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03064   460   NtDeleteValueKey  (364,  (364, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03065   460   NtClose  (364, ... ) == 0x0
 03066   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 364, ) }, ... 364, ) == 0x0
 03067   460   NtCreateKey  (0x2, {24, 364, 0x40, 0, 0,  (0x2, {24, 364, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 368, 2, ) }, 0, "", 0, ... 368, 2, ) == 0x0
 03068   460   NtSetValueKey  (368,  (368, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (368, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03069   460   NtClose  (368, ... ) == 0x0
 03070   460   NtWaitForSingleObject  (248, 0, 0x0, ... ) == 0x0
 03071   460   NtCreateKey  (0x1, {24, 360, 0x40, 0, 0,  (0x1, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 368, 2, ) }, 0, "", 0, ... 368, 2, ) == 0x0
 03072   460   NtQueryValueKey  (368,  (368, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (368, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03073   460   NtQueryValueKey  (368,  (368, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (368, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 03074   460   NtCreateKey  (0x2, {24, 360, 0x40, 0, 0,  (0x2, {24, 360, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 376, 2, ) }, 0, "", 0, ... 376, 2, ) == 0x0
 03075   460   NtReleaseMutant  (248, ... 0x0, ) == 0x0
 03076   460   NtClose  (368, ... ) == 0x0
 03077   460   NtSetValueKey  (376,  (376, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (376, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 03078   460   NtSetInformationFile  (-2147482732, -131954892, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03079   460   NtSetInformationFile  (-2147482732, -131954992, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 03077   460   NtSetValueKey  ... ) == 0x0
 03080   460   NtClose  (376, ... ) == 0x0
 03081   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03082   460   NtQueryInformationFile  (192, 1242180, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03083   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03084   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03085   460   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 376, ) == 0x0
 03086   460   NtWaitForSingleObject  (376, 0, 0x0, ... ) == 0x0
 03087   460   NtClearEvent  (376, ... ) == 0x0
 03088   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 03089   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "wsock32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03090   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\wsock32.dll"}, 1239760, ... }, 1239760, ...
 02507   876   NtWaitForSingleObject  ... ) == 0x0
 03091   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 03092   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03090   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03093   460   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "wsock32.dll"}, 1239760, ... }, 1239760, ...
 03092   876   NtWaitForSingleObject  ... ) == 0x0
 03094   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 03095   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03093   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03096   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 1239760, ... ) }, 1239760, ... ) == 0x0
 03097   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wsock32.dll"}, 5, 96, ... 368, {status=0x0, info=1}, ) }, 5, 96, ... 368, {status=0x0, info=1}, ) == 0x0
 03098   460   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 368, ... 384, ) == 0x0
 03099   460   NtQuerySection  (384, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03100   460   NtClose  (368, ... ) == 0x0
 03101   460   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 03102   460   NtClose  (384, ... ) == 0x0
 03103   460   NtClearEvent  (228, ... ) == 0x0
 03104   460   NtSetEvent  (228, ... 0x0, ) == 0x0
 03105   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03106   460   NtQueryInformationFile  (192, 1241452, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03107   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03108   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03109   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03110   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03111   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03112   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03113   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03114   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03115   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03116   460   NtQueryInformationFile  (192, 1241648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03117   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03118   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03119   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 384, ) }, ... 384, ) == 0x0
 03120   460   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 03121   460   NtClose  (384, ... ) == 0x0
 03122   460   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 384, ) }, ... 384, ) == 0x0
 03123   460   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 03124   460   NtClose  (384, ... ) == 0x0
 03125   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03126   460   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 10682368, 65536, ) == 0x0
 03127   460   NtAllocateVirtualMemory  (-1, 10682368, 0, 4096, 4096, 4, ... 10682368, 4096, ) == 0x0
 03128   460   NtAllocateVirtualMemory  (-1, 10686464, 0, 8192, 4096, 4, ... 10686464, 8192, ) == 0x0
 03129   460   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 384, ) }, 0, ... 384, ) == 0x0
 03130   460   NtCreateMutant  (0x1f0001, {24, 52, 0x80, 0, 0,  (0x1f0001, {24, 52, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 368, ) }, 0, ... 368, ) == 0x0
 03131   460   NtQueryDefaultUILanguage  (1237672, ...
 03132   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03133   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482044, ) == 0x0
 03134   460   NtQueryInformationToken  (-2147482044, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03135   460   NtClose  (-2147482044, ... ) == 0x0
 03136   460   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 03137   460   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03138   460   NtOpenKey  (0x80000000, {24, -2147482044, 0x640, 0, 0,  (0x80000000, {24, -2147482044, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482048, ) }, ... -2147482048, ) == 0x0
 03139   460   NtQueryValueKey  (-2147482048,  (-2147482048, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03140   460   NtClose  (-2147482048, ... ) == 0x0
 03141   460   NtClose  (-2147482044, ... ) == 0x0
 03131   460   NtQueryDefaultUILanguage  ... ) == 0x0
 03142   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03143   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 380, {status=0x0, info=1}, ) }, 1, 96, ... 380, {status=0x0, info=1}, ) == 0x0
 03144   460   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 380, ... 388, ) == 0x0
 03145   460   NtMapViewOfSection  (388, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0xa60000), 0x0, 454656, ) == 0x0
 03146   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03147   460   NtQueryDefaultLocale  (1, 1235708, ... ) == 0x0
 03148   460   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03149   460   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1236564, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1236564, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\341\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1|\1\0\0\377\377\377\377\0\0\0\0\240\302\253\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\345\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1613, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\341\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1|\1\0\0\377\377\377\377\0\0\0\0\240\302\253\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\345\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 456, 460, 1613, 0}  (24, {128, 156, new_msg, 0, 1236564, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\341\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1|\1\0\0\377\377\377\377\0\0\0\0\240\302\253\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\345\22\0\0\0\0\0" ... {128, 156, reply, 0, 456, 460, 1613, 0} "\210\347\26\0\33\0\1\0\0\0\0\0\1\341\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1|\1\0\0\377\377\377\377\0\0\0\0\240\302\253\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0T\345\22\0\0\0\0\0" )  ) == 0x0
 03150   460   NtClose  (380, ... ) == 0x0
 03151   460   NtClose  (388, ... ) == 0x0
 03152   460   NtUnmapViewOfSection  (-1, 0xa60000, ... ) == 0x0
 03153   460   NtUnmapViewOfSection  (-1, 0x12e554, ... ) == STATUS_NOT_MAPPED_VIEW
 03154   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03155   460   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03156   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03157   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03158   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1234248, ... }, 1234248, ...
 03095   876   NtWaitForSingleObject  ... ) == 0x0
 03159   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=79}, 0x0, ) , 16, 0, ... {status=0x103, info=79}, 0x0, ) == 0x103
 03160   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03158   460   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03161   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03162   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03163   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03164   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1234840, ... ) }, 1234840, ... ) == 0x0
 03165   460   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 388, {status=0x0, info=1}, ) }, 3, 33, ... 388, {status=0x0, info=1}, ) == 0x0
 03166   460   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 03167   460   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 03168   460   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 03169   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03170   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03171   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 380, ) == 0x0
 03172   460   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03173   460   NtClose  (380, ... ) == 0x0
 03174   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 380, ) }, ... 380, ) == 0x0
 03175   460   NtSetInformationObject  (382, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 03176   460   NtQueryKey  (382, Name, 384, ... {Name= (382, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 03177   460   NtOpenKey  (0x2000000, {24, 382, 0x40, 0, 0,  (0x2000000, {24, 382, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03178   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 392, ) }, ... 392, ) == 0x0
 03179   460   NtQueryKey  (394, Name, 392, ... {Name= (394, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 03180   460   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 03181   460   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 03182   460   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 03183   460   NtClose  (396, ... ) == 0x0
 03184   460   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03185   460   NtEnumerateKey  (394, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (394, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 03186   460   NtEnumerateKey  (394, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03187   460   NtClose  (394, ... ) == 0x0
 03188   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03189   460   NtOpenKey  (0x1, {24, 60, 0x40, 0, 0,  (0x1, {24, 60, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03190   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 392, ) }, ... 392, ) == 0x0
 03191   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Ranges\"}, ... 396, ) }, ... 396, ) == 0x0
 03192   460   NtQueryKey  (396, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 03193   460   NtClose  (396, ... ) == 0x0
 03194   460   NtRequestWaitReplyPort  (184, {28, 52, new_msg, 0, 0, 0, 0, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\260\361\24\0" ... {176, 200, reply, 0, 456, 460, 1614, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 456, 460, 1614, 0}  (184, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\260\361\24\0" ... {176, 200, reply, 0, 456, 460, 1614, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 03195   460   NtCreateSection  (0xf0007, {24, 52, 0x80, 0, 0,  (0xf0007, {24, 52, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 396, ) }, {8, 0}, 4, 134217728, 0, ... 396, ) == 0x0
 03196   460   NtMapViewOfSection  (396, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0xa60000), {0, 0}, 4096, ) == 0x0
 03197   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\Setup"}, ... 400, ) }, ... 400, ) == 0x0
 03198   460   NtQueryValueKey  (400,  (400, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03199   460   NtClose  (400, ... ) == 0x0
 03200   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 400, ) }, ... 400, ) == 0x0
 03201   460   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "0"}, ... 404, ) }, ... 404, ) == 0x0
 03202   460   NtClose  (404, ... ) == 0x0
 03203   460   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "1"}, ... 404, ) }, ... 404, ) == 0x0
 03204   460   NtClose  (404, ... ) == 0x0
 03205   460   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "2"}, ... 404, ) }, ... 404, ) == 0x0
 03206   460   NtClose  (404, ... ) == 0x0
 03207   460   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "3"}, ... 404, ) }, ... 404, ) == 0x0
 03208   460   NtClose  (404, ... ) == 0x0
 03209   460   NtOpenKey  (0x20019, {24, 400, 0x40, 0, 0,  (0x20019, {24, 400, 0x40, 0, 0, "4"}, ... 404, ) }, ... 404, ) == 0x0
 03210   460   NtClose  (404, ... ) == 0x0
 03211   460   NtClose  (400, ... ) == 0x0
 03212   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 400, ) }, ... 400, ) == 0x0
 03213   460   NtEnumerateKey  (400, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (400, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 03214   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 404, ) }, ... 404, ) == 0x0
 03215   460   NtQueryValueKey  (404,  (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 03216   460   NtClose  (404, ... ) == 0x0
 03217   460   NtEnumerateKey  (400, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (400, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 03218   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 404, ) }, ... 404, ) == 0x0
 03219   460   NtQueryValueKey  (404,  (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 03220   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03221   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03222   460   NtOpenKey  (0x2001f, {24, 60, 0x40, 0, 0,  (0x2001f, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 408, ) }, ... 408, ) == 0x0
 03223   460   NtSetValueKey  (408,  (408, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (408, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03224   460   NtSetValueKey  (408,  (408, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (408, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03225   460   NtSetValueKey  (408,  (408, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (408, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 03226   460   NtClose  (408, ... ) == 0x0
 03227   460   NtClose  (404, ... ) == 0x0
 03228   460   NtEnumerateKey  (400, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (400, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 03229   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 404, ) }, ... 404, ) == 0x0
 03230   460   NtQueryValueKey  (404,  (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 03231   460   NtClose  (404, ... ) == 0x0
 03232   460   NtEnumerateKey  (400, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (400, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 03233   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 404, ) }, ... 404, ) == 0x0
 03234   460   NtQueryValueKey  (404,  (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03235   460   NtClose  (404, ... ) == 0x0
 03236   460   NtEnumerateKey  (400, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (400, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 03237   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 404, ) }, ... 404, ) == 0x0
 03238   460   NtQueryValueKey  (404,  (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03239   460   NtClose  (404, ... ) == 0x0
 03240   460   NtEnumerateKey  (400, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 03241   460   NtClose  (400, ... ) == 0x0
 03242   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03243   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03244   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03245   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03246   460   NtQueryValueKey  (392,  (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03247   460   NtQueryValueKey  (392,  (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03248   460   NtClearEvent  (228, ... ) == 0x0
 03249   460   NtSetEvent  (228, ... 0x0, ) == 0x0
 03250   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "ProtocolDefaults\"}, ... 400, ) }, ... 400, ) == 0x0
 03251   460   NtQueryValueKey  (400,  (400, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03252   460   NtClose  (400, ... ) == 0x0
 03253   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03254   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03255   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03256   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03257   460   NtWaitForSingleObject  (368, 0, 0x0, ... ) == 0x0
 03258   460   NtReleaseMutant  (368, ... 0x0, ) == 0x0
 03259   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 400, ) }, ... 400, ) == 0x0
 03260   460   NtQueryValueKey  (400,  (400, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (400, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03261   460   NtWaitForSingleObject  (368, 0, 0x0, ... ) == 0x0
 03262   460   NtReleaseMutant  (368, ... 0x0, ) == 0x0
 03263   460   NtWaitForSingleObject  (368, 0, 0x0, ... ) == 0x0
 03264   460   NtReleaseMutant  (368, ... 0x0, ) == 0x0
 03265   460   NtClose  (400, ... ) == 0x0
 03266   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03267   460   NtQueryInformationFile  (192, 1241900, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03268   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03269   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03270   460   NtQueryInformationFile  (192, 1239516, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03271   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03272   460   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 03273   460   NtQueryInformationFile  (212, 1241480, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03274   460   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 03275   460   NtWaitForSingleObject  (204, 0, 0x0, ... ) == 0x0
 03276   460   NtQueryInformationFile  (212, 1241440, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03277   460   NtReleaseMutant  (204, ... 0x0, ) == 0x0
 03278   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03279   460   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 400, ) == 0x0
 03280   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 03281   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) == 0x0
 03282   460   NtRequestWaitReplyPort  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0\360\352\25\0\370\4\24\0\250\354\25\0\1\0\0\0\200\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 456, 460, 1616, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0\360\352\25\0\370\4\24\0\250\354\25\0\1\0\0\0\200\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1616, 0}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0\360\352\25\0\370\4\24\0\250\354\25\0\1\0\0\0\200\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 456, 460, 1616, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\0\0\0\0\360\352\25\0\370\4\24\0\250\354\25\0\1\0\0\0\200\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0\250\354\25\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 03283   460   NtRequestWaitReplyPort  (408, {64, 88, new_msg, 0, 44, 3, 20, 0}  (408, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 456, 460, 1617, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 460, 1617, 0}  (408, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 456, 460, 1617, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03284   460   NtClose  (404, ... ) == 0x0
 03285   460   NtClose  (408, ... ) == 0x0
 03286   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 03287   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 03288   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03289   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03290   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03291   460   NtClose  (408, ... ) == 0x0
 03292   460   NtClose  (404, ... ) == 0x0
 03293   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) , 0, ... 404, 2, ) == 0x0
 03294   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 408, ) }, ... 408, ) == 0x0
 03295   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03296   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03297   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03298   460   NtClose  (404, ... ) == 0x0
 03299   460   NtClose  (408, ... ) == 0x0
 03300   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03301   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 408, ) }, ... 408, ) == 0x0
 03302   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03303   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03304   460   NtClose  (408, ... ) == 0x0
 03305   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03306   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03307   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03308   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03309   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03310   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 03311   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0x\352\25\0\330\335\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\25\0\370\357\25\0\34\343\22\0\0\0\0\0\210\1\24\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1620, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0x\352\25\0\330\335\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\25\0\370\357\25\0\34\343\22\0\0\0\0\0\210\1\24\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1620, 0}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0x\352\25\0\330\335\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\25\0\370\357\25\0\34\343\22\0\0\0\0\0\210\1\24\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1620, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\10\0x\352\25\0\330\335\25\0\0\0\0\0\0\0\0\0\24\0\0\0\1\0\0\0\0\0\0\0\0\0\25\0\370\357\25\0\34\343\22\0\0\0\0\0\210\1\24\0\5\0\0\0" )  ) == 0x0
 03312   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 456, 460, 1617, 0}  (404, {112, 136, new_msg, 0, 456, 460, 1617, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\254\263\25\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03160   876   NtWaitForSingleObject  ... ) == 0x0
 03313   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=94}, 0x0, ) , 16, 0, ... {status=0x103, info=94}, 0x0, ) == 0x103
 03314   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03312   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1621, 0}  ... {44, 68, reply, 0, 456, 460, 1621, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03315   460   NtClose  (408, ... ) == 0x0
 03316   460   NtClose  (404, ... ) == 0x0
 03317   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 03318   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03319   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03320   460   NtClose  (408, ... ) == 0x0
 03321   460   NtClose  (404, ... ) == 0x0
 03322   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03323   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03324   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03325   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03326   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03327   460   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 03328   460   NtCreateKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 408, 2, ) }, 0, 0x0, 0, ... 408, 2, ) == 0x0
 03329   460   NtClose  (404, ... ) == 0x0
 03330   460   NtQueryValueKey  (408,  (408, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03331   460   NtClose  (408, ... ) == 0x0
 03332   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03333   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 03334   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 03335   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 03336   460   NtClose  (408, ... ) == 0x0
 03337   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 03338   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03339   460   NtClose  (408, ... ) == 0x0
 03340   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 03341   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03342   460   NtClose  (408, ... ) == 0x0
 03343   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03344   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 03345   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03346   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 03347   460   NtCreateKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 412, 2, ) }, 0, 0x0, 0, ... 412, 2, ) == 0x0
 03348   460   NtClose  (404, ... ) == 0x0
 03349   460   NtQueryValueKey  (412,  (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 03350   460   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10944512, 4096, ) == 0x0
 03351   460   NtAllocateVirtualMemory  (-1, 1437696, 0, 4096, 4096, 4, ... 1437696, 4096, ) == 0x0
 03352   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03353   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03354   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03355   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03356   460   NtClose  (404, ... ) == 0x0
 03357   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03358   460   NtQueryValueKey  (404,  (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03359   460   NtClose  (404, ... ) == 0x0
 03360   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03361   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 404, ) }, ... 404, ) == 0x0
 03362   460   NtQueryKey  (404, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 03363   460   NtQuerySecurityObject  (404, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03364   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03365   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03366   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03367   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03368   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03369   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03370   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03371   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03372   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03373   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03374   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03375   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03376   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03377   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03378   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03379   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03380   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03381   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03382   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03383   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03384   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03385   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03386   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03387   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03388   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03389   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03390   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03391   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03392   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03393   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03394   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03395   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03396   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03397   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03398   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03399   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 03400   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03401   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03402   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03403   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03404   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03405   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03406   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 03407   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03408   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03409   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03410   460   NtClose  (404, ... ) == 0x0
 03411   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 404, ) }, ... 404, ) == 0x0
 03412   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "ActiveComputerName"}, ... 416, ) }, ... 416, ) == 0x0
 03413   460   NtQueryValueKey  (416,  (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03414   460   NtClose  (416, ... ) == 0x0
 03415   460   NtClose  (404, ... ) == 0x0
 03416   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03417   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03418   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03419   460   NtClose  (404, ... ) == 0x0
 03420   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03421   460   NtQueryValueKey  (404,  (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03422   460   NtClose  (404, ... ) == 0x0
 03423   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03424   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 404, ) }, ... 404, ) == 0x0
 03425   460   NtQueryValueKey  (404,  (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03426   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03427   460   NtQueryValueKey  (404,  (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03428   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03429   460   NtClose  (404, ... ) == 0x0
 03430   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03431   460   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 03432   460   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03433   460   NtQueryInformationToken  (408, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03434   460   NtDuplicateToken  (408, 0xc, {24, 0, 0x0, 0, 1237932, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03435   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03436   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03437   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03438   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03439   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03440   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236136,  (0xc0100080, {24, 0, 0x40, 0, 1236136, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03441   460   NtSetInformationFile  (420, 1236192, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03442   460   NtSetInformationFile  (420, 1236184, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03443   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03444   460   NtWriteFile  (420, 325, 0, 0,  (420, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03445   460   NtReadFile  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03446   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20C!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03447   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\330\335\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\330\335\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03448   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\304~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03449   460   NtClose  (416, ... ) == 0x0
 03450   460   NtClose  (420, ... ) == 0x0
 03451   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03452   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03453   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03454   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03455   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236132,  (0xc0100080, {24, 0, 0x40, 0, 1236132, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03456   460   NtSetInformationFile  (416, 1236188, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03457   460   NtSetInformationFile  (416, 1236180, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03458   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03459   460   NtWriteFile  (416, 325, 0, 0,  (416, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03460   460   NtReadFile  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20D!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03461   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20D!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20D!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03462   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\330\335\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\330\335\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03463   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\305~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03464   460   NtClose  (420, ... ) == 0x0
 03465   460   NtClose  (416, ... ) == 0x0
 03466   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03467   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03468   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03469   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 416, ) }, ... 416, ) == 0x0
 03470   460   NtQueryValueKey  (416,  (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03471   460   NtClose  (416, ... ) == 0x0
 03472   460   NtCreateKey  (0x2001f, {24, 404, 0x40, 0, 0,  (0x2001f, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 03473   460   NtQueryValueKey  (416,  (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03474   460   NtClose  (416, ... ) == 0x0
 03475   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03476   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03477   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1237836, ... ) }, 1237836, ... ) == 0x0
 03478   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237844,  (0x80100080, {24, 0, 0x40, 0, 1237844, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03479   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03480   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03481   460   NtQueryInformationFile  (416, 1237860, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03482   460   NtReadFile  (416, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03483   460   NtClose  (416, ... ) == 0x0
 03484   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Environment"}, ... 416, ) }, ... 416, ) == 0x0
 03485   460   NtAllocateVirtualMemory  (-1, 1441792, 0, 12288, 4096, 4, ... 1441792, 12288, ) == 0x0
 03486   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03487   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03488   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03489   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03490   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03491   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03492   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 03493   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03494   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03495   460   NtClose  (420, ... ) == 0x0
 03496   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03497   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03498   460   NtClose  (420, ... ) == 0x0
 03499   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03500   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03501   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03502   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03503   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03504   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03505   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 03506   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03507   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03508   460   NtClose  (420, ... ) == 0x0
 03509   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03510   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03511   460   NtClose  (420, ... ) == 0x0
 03512   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03513   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03514   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03515   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03516   460   NtClose  (416, ... ) == 0x0
 03517   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Volatile Environment"}, ... 416, ) }, ... 416, ) == 0x0
 03518   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03519   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03520   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03521   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03522   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03523   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03524   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03525   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03526   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03527   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03528   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03529   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03530   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03531   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03532   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03533   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03534   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03535   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03536   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03537   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03538   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03539   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03540   460   NtClose  (416, ... ) == 0x0
 03541   460   NtClose  (404, ... ) == 0x0
 03542   460   NtFreeVirtualMemory  (-1, (0xa70000), 0, 32768, ... (0xa70000), 4096, ) == 0x0
 03543   460   NtClose  (412, ... ) == 0x0
 03544   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1238500, ... ) }, 1238500, ... ) == 0x0
 03545   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03546   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 412, ) }, ... 412, ) == 0x0
 03547   460   NtCreateKey  (0x2000000, {24, 412, 0x40, 0, 0,  (0x2000000, {24, 412, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 03548   460   NtClose  (412, ... ) == 0x0
 03549   460   NtSetValueKey  (404,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03550   460   NtClose  (404, ... ) == 0x0
 03551   460   NtClose  (408, ... ) == 0x0
 03552   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03553   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03554   460   NtQueryInformationFile  (192, 1239548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03555   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03556   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03557   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03558   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03559   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03560   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03561   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03562   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 03563   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0x\352\25\0\350\351\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1624, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0x\352\25\0\350\351\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1624, 0}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0x\352\25\0\350\351\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1624, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\11\0x\352\25\0\350\351\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03564   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 44, 3, 20, 0}  (404, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\254\263\25\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03314   876   NtWaitForSingleObject  ... ) == 0x0
 03565   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=94}, 0x0, ) , 16, 0, ... {status=0x103, info=94}, 0x0, ) == 0x103
 03566   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03564   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1625, 0}  ... {44, 68, reply, 0, 456, 460, 1625, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03567   460   NtClose  (408, ... ) == 0x0
 03568   460   NtClose  (404, ... ) == 0x0
 03569   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 03570   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03571   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03572   460   NtClose  (408, ... ) == 0x0
 03573   460   NtClose  (404, ... ) == 0x0
 03574   460   NtClearEvent  (376, ... ) == 0x0
 03575   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 03576   460   NtClose  (376, ... ) == 0x0
 03577   460   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 376, ) == 0x0
 03578   460   NtWaitForSingleObject  (376, 0, 0x0, ... ) == 0x0
 03579   460   NtClearEvent  (376, ... ) == 0x0
 03580   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 03581   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03582   460   NtQueryInformationFile  (192, 1241452, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03583   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03584   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03585   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03586   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03587   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03588   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03589   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03590   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03591   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03592   460   NtQueryInformationFile  (192, 1241648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03593   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03594   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03595   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03596   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03597   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03598   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bashchelik.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03599   460   NtQueryValueKey  (392,  (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03600   460   NtQueryValueKey  (392,  (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03601   460   NtClearEvent  (228, ... ) == 0x0
 03602   460   NtSetEvent  (228, ... 0x0, ) == 0x0
 03603   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "ProtocolDefaults\"}, ... 404, ) }, ... 404, ) == 0x0
 03604   460   NtQueryValueKey  (404,  (404, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03605   460   NtClose  (404, ... ) == 0x0
 03606   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03607   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03608   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03609   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03610   460   NtWaitForSingleObject  (368, 0, 0x0, ... ) == 0x0
 03611   460   NtReleaseMutant  (368, ... 0x0, ) == 0x0
 03612   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03613   460   NtQueryInformationFile  (192, 1241896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03614   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03615   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03616   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 03617   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) == 0x0
 03618   460   NtRequestWaitReplyPort  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1628, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1628, 0}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1628, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\12\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 03619   460   NtRequestWaitReplyPort  (408, {64, 88, new_msg, 0, 456, 460, 1625, 0}  (408, {64, 88, new_msg, 0, 456, 460, 1625, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1629, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 460, 1629, 0}  (408, {64, 88, new_msg, 0, 456, 460, 1625, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1629, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03620   460   NtClose  (404, ... ) == 0x0
 03621   460   NtClose  (408, ... ) == 0x0
 03622   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 03623   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 03624   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03625   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03626   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03627   460   NtClose  (408, ... ) == 0x0
 03628   460   NtClose  (404, ... ) == 0x0
 03629   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) , 0, ... 404, 2, ) == 0x0
 03630   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 408, ) }, ... 408, ) == 0x0
 03631   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03632   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03633   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03634   460   NtClose  (404, ... ) == 0x0
 03635   460   NtClose  (408, ... ) == 0x0
 03636   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03637   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 408, ) }, ... 408, ) == 0x0
 03638   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03639   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03640   460   NtClose  (408, ... ) == 0x0
 03641   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03642   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03643   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03644   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03645   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03646   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 03647   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1632, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1632, 0}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1632, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\13\0x\352\25\0\350\334\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" )  ) == 0x0
 03648   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 456, 460, 1629, 0}  (404, {112, 136, new_msg, 0, 456, 460, 1629, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\254\263\25\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03566   876   NtWaitForSingleObject  ... ) == 0x0
 03649   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=94}, 0x0, ) , 16, 0, ... {status=0x103, info=94}, 0x0, ) == 0x103
 03650   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03648   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1633, 0}  ... {44, 68, reply, 0, 456, 460, 1633, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03651   460   NtClose  (408, ... ) == 0x0
 03652   460   NtClose  (404, ... ) == 0x0
 03653   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 03654   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03655   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv02.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03656   460   NtClose  (408, ... ) == 0x0
 03657   460   NtClose  (404, ... ) == 0x0
 03658   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03659   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03660   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03661   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03662   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03663   460   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 03664   460   NtCreateKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 408, 2, ) }, 0, 0x0, 0, ... 408, 2, ) == 0x0
 03665   460   NtClose  (404, ... ) == 0x0
 03666   460   NtQueryValueKey  (408,  (408, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03667   460   NtClose  (408, ... ) == 0x0
 03668   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03669   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 03670   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 03671   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 03672   460   NtClose  (408, ... ) == 0x0
 03673   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 03674   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03675   460   NtClose  (408, ... ) == 0x0
 03676   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 03677   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03678   460   NtClose  (408, ... ) == 0x0
 03679   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03680   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 03681   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03682   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 03683   460   NtCreateKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 412, 2, ) }, 0, 0x0, 0, ... 412, 2, ) == 0x0
 03684   460   NtClose  (404, ... ) == 0x0
 03685   460   NtQueryValueKey  (412,  (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 03686   460   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10944512, 4096, ) == 0x0
 03687   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03688   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03689   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03690   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03691   460   NtClose  (404, ... ) == 0x0
 03692   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03693   460   NtQueryValueKey  (404,  (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03694   460   NtClose  (404, ... ) == 0x0
 03695   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03696   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 404, ) }, ... 404, ) == 0x0
 03697   460   NtQueryKey  (404, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 03698   460   NtQuerySecurityObject  (404, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03699   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03700   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03701   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03702   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03703   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03704   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03705   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03706   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03707   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03708   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03709   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03710   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03711   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03712   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03713   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03714   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03715   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03716   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03717   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03718   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03719   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03720   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03721   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03722   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03723   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03724   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03725   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03726   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03727   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03728   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03729   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03730   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03731   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03732   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03733   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03734   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 03735   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03736   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03737   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03738   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03739   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03740   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03741   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 03742   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03743   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03744   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03745   460   NtClose  (404, ... ) == 0x0
 03746   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 404, ) }, ... 404, ) == 0x0
 03747   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "ActiveComputerName"}, ... 416, ) }, ... 416, ) == 0x0
 03748   460   NtQueryValueKey  (416,  (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03749   460   NtClose  (416, ... ) == 0x0
 03750   460   NtClose  (404, ... ) == 0x0
 03751   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03752   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03753   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03754   460   NtClose  (404, ... ) == 0x0
 03755   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 03756   460   NtQueryValueKey  (404,  (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03757   460   NtClose  (404, ... ) == 0x0
 03758   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03759   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 404, ) }, ... 404, ) == 0x0
 03760   460   NtQueryValueKey  (404,  (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03761   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03762   460   NtQueryValueKey  (404,  (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03763   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03764   460   NtClose  (404, ... ) == 0x0
 03765   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03766   460   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 03767   460   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03768   460   NtQueryInformationToken  (408, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03769   460   NtDuplicateToken  (408, 0xc, {24, 0, 0x0, 0, 1237932, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03770   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03771   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03772   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03773   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03774   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03775   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236136,  (0xc0100080, {24, 0, 0x40, 0, 1236136, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 03776   460   NtSetInformationFile  (420, 1236192, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03777   460   NtSetInformationFile  (420, 1236184, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03778   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03779   460   NtWriteFile  (420, 325, 0, 0,  (420, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03780   460   NtReadFile  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03781   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20E!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03782   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\30\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\30\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03783   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\306~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03784   460   NtClose  (416, ... ) == 0x0
 03785   460   NtClose  (420, ... ) == 0x0
 03786   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03787   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 03788   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03789   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03790   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236132,  (0xc0100080, {24, 0, 0x40, 0, 1236132, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03791   460   NtSetInformationFile  (416, 1236188, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03792   460   NtSetInformationFile  (416, 1236180, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03793   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03794   460   NtWriteFile  (416, 325, 0, 0,  (416, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03795   460   NtReadFile  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20F!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03796   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20F!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20F!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03797   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\30\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\30\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0l\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03798   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\307~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0 \242\25\0\1\0\0\0,\242\25\0 \0\0\0\1\0\0\0\16\0\20\08\242\25\0H\242\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03799   460   NtClose  (420, ... ) == 0x0
 03800   460   NtClose  (416, ... ) == 0x0
 03801   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03802   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03803   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03804   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 416, ) }, ... 416, ) == 0x0
 03805   460   NtQueryValueKey  (416,  (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03806   460   NtClose  (416, ... ) == 0x0
 03807   460   NtCreateKey  (0x2001f, {24, 404, 0x40, 0, 0,  (0x2001f, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 03808   460   NtQueryValueKey  (416,  (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03809   460   NtClose  (416, ... ) == 0x0
 03810   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03811   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03812   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1237836, ... ) }, 1237836, ... ) == 0x0
 03813   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237844,  (0x80100080, {24, 0, 0x40, 0, 1237844, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 03814   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03815   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03816   460   NtQueryInformationFile  (416, 1237860, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03817   460   NtReadFile  (416, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03818   460   NtClose  (416, ... ) == 0x0
 03819   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Environment"}, ... 416, ) }, ... 416, ) == 0x0
 03820   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03821   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03822   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03823   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03824   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03825   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03826   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 03827   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03828   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03829   460   NtClose  (420, ... ) == 0x0
 03830   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03831   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03832   460   NtClose  (420, ... ) == 0x0
 03833   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03834   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03835   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03836   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03837   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03838   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03839   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 03840   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03841   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03842   460   NtClose  (420, ... ) == 0x0
 03843   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 03844   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03845   460   NtClose  (420, ... ) == 0x0
 03846   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03847   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03848   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03849   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03850   460   NtClose  (416, ... ) == 0x0
 03851   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Volatile Environment"}, ... 416, ) }, ... 416, ) == 0x0
 03852   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03853   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03854   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03855   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03856   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03857   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03858   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03859   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03860   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03861   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03862   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03863   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03864   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03865   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03866   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03867   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03868   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03869   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03870   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03871   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03872   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03873   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03874   460   NtClose  (416, ... ) == 0x0
 03875   460   NtClose  (404, ... ) == 0x0
 03876   460   NtFreeVirtualMemory  (-1, (0xa70000), 0, 32768, ... (0xa70000), 4096, ) == 0x0
 03877   460   NtClose  (412, ... ) == 0x0
 03878   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1238500, ... ) }, 1238500, ... ) == 0x0
 03879   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03880   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 412, ) }, ... 412, ) == 0x0
 03881   460   NtCreateKey  (0x2000000, {24, 412, 0x40, 0, 0,  (0x2000000, {24, 412, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 03882   460   NtClose  (412, ... ) == 0x0
 03883   460   NtSetValueKey  (404,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03884   460   NtClose  (404, ... ) == 0x0
 03885   460   NtClose  (408, ... ) == 0x0
 03886   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03887   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03888   460   NtQueryInformationFile  (192, 1239548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03889   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03890   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03891   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03892   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03893   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03894   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03895   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03896   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 03897   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0x\352\25\0\20\335\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1636, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0x\352\25\0\20\335\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1636, 0}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0x\352\25\0\20\335\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1636, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\14\0x\352\25\0\20\335\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03898   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 44, 3, 20, 0}  (404, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\254\263\25\0\25\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0b\0a\0s\0h\0c\0h\0e\0l\0i\0k\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03650   876   NtWaitForSingleObject  ... ) == 0x0
 03899   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=94}, 0x0, ) , 16, 0, ... {status=0x103, info=94}, 0x0, ) == 0x103
 03900   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03898   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1637, 0}  ... {44, 68, reply, 0, 456, 460, 1637, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03901   460   NtClose  (408, ... ) == 0x0
 03902   460   NtClose  (404, ... ) == 0x0
 03903   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 03904   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03905   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv02.bashchelik.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03906   460   NtClose  (408, ... ) == 0x0
 03907   460   NtClose  (404, ... ) == 0x0
 03908   460   NtClearEvent  (376, ... ) == 0x0
 03909   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 03910   460   NtClose  (376, ... ) == 0x0
 03911   460   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 376, ) == 0x0
 03912   460   NtWaitForSingleObject  (376, 0, 0x0, ... ) == 0x0
 03913   460   NtClearEvent  (376, ... ) == 0x0
 03914   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 03915   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03916   460   NtQueryInformationFile  (192, 1241452, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03917   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03918   460   NtOpenKey  (0x20019, {24, 60, 0x40, 0, 0,  (0x20019, {24, 60, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03919   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03920   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03921   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03922   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03923   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03924   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03925   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03926   460   NtQueryInformationFile  (192, 1241648, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03927   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03928   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 03929   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03930   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03931   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Domains\debelizombi.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03932   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\debelizombi.com"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03933   460   NtQueryValueKey  (392,  (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "IntranetName", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03934   460   NtQueryValueKey  (392,  (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (392, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03935   460   NtClearEvent  (228, ... ) == 0x0
 03936   460   NtSetEvent  (228, ... 0x0, ) == 0x0
 03937   460   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "ProtocolDefaults\"}, ... 404, ) }, ... 404, ) == 0x0
 03938   460   NtQueryValueKey  (404,  (404, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (404, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 03939   460   NtClose  (404, ... ) == 0x0
 03940   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03941   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03942   460   NtWaitForSingleObject  (384, 0, 0x0, ... ) == 0x0
 03943   460   NtReleaseMutant  (384, ... 0x0, ) == 0x0
 03944   460   NtWaitForSingleObject  (368, 0, 0x0, ... ) == 0x0
 03945   460   NtReleaseMutant  (368, ... 0x0, ) == 0x0
 03946   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 03947   460   NtQueryInformationFile  (192, 1241896, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03948   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 03949   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03950   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 03951   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1238356, 112, ... 408, 0x0, 0x0, 0x0, 112, ) == 0x0
 03952   460   NtRequestWaitReplyPort  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1640, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1640, 0}  (408, {128, 152, new_msg, 0, 1310720, 123688, 1310720, 1238120} "\0$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1640, 0} "\7$\370w\30\353\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\15\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0\0\0\0\0\244\363\22\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 03953   460   NtRequestWaitReplyPort  (408, {64, 88, new_msg, 0, 456, 460, 1637, 0}  (408, {64, 88, new_msg, 0, 456, 460, 1637, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 456, 460, 1641, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 460, 1641, 0}  (408, {64, 88, new_msg, 0, 456, 460, 1637, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0s\0r\0v\00\02\0.\0" ... {52, 76, reply, 0, 456, 460, 1641, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03954   460   NtClose  (404, ... ) == 0x0
 03955   460   NtClose  (408, ... ) == 0x0
 03956   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 408, 2, ) , 0, ... 408, 2, ) == 0x0
 03957   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 03958   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03959   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03960   460   NtQueryValueKey  (408,  (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03961   460   NtClose  (408, ... ) == 0x0
 03962   460   NtClose  (404, ... ) == 0x0
 03963   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) , 0, ... 404, 2, ) == 0x0
 03964   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 408, ) }, ... 408, ) == 0x0
 03965   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03966   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03967   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03968   460   NtClose  (404, ... ) == 0x0
 03969   460   NtClose  (408, ... ) == 0x0
 03970   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03971   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 408, ) }, ... 408, ) == 0x0
 03972   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03973   460   NtQueryValueKey  (408,  (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (408, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03974   460   NtClose  (408, ... ) == 0x0
 03975   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03976   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03977   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 03978   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 03979   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03980   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237692, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 03981   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\340\333\25\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1644, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\340\333\25\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1644, 0}  (404, {128, 152, new_msg, 0, 1310720, 123024, 1310720, 1237456} "\0$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\355\25\0\4\0\0\0\0\355\25\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\340\333\25\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1644, 0} "\7$\370w\200\350\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\355\25\0\377\377\377\377\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\16\0x\352\25\00\324\25\0\0\0\0\0\0\0\0\0$1\347w\0\0\0\0\0\0\0\0\0\0\0\0\340\333\25\0\34\343\22\0\0\0\0\0\365\26\365w\5\0\0\0" )  ) == 0x0
 03982   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 456, 460, 1641, 0}  (404, {112, 136, new_msg, 0, 456, 460, 1641, 0} "\1\0\0\0A\2\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\254\263\25\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03900   876   NtWaitForSingleObject  ... ) == 0x0
 03983   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=95}, 0x0, ) , 16, 0, ... {status=0x103, info=95}, 0x0, ) == 0x103
 03984   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 03982   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1645, 0}  ... {44, 68, reply, 0, 456, 460, 1645, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 03985   460   NtClose  (408, ... ) == 0x0
 03986   460   NtClose  (404, ... ) == 0x0
 03987   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 03988   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 03989   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.debelizombi.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03990   460   NtClose  (408, ... ) == 0x0
 03991   460   NtClose  (404, ... ) == 0x0
 03992   460   NtWaitForSingleObject  (240, 0, 0x0, ... ) == 0x0
 03993   460   NtWaitForSingleObject  (244, 0, 0x0, ... ) == 0x0
 03994   460   NtReleaseMutant  (244, ... 0x0, ) == 0x0
 03995   460   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03996   460   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03997   460   NtCreateKey  (0x2001d, {24, 48, 0x40, 0, 0,  (0x2001d, {24, 48, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 03998   460   NtCreateKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 408, 2, ) }, 0, 0x0, 0, ... 408, 2, ) == 0x0
 03999   460   NtClose  (404, ... ) == 0x0
 04000   460   NtQueryValueKey  (408,  (408, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04001   460   NtClose  (408, ... ) == 0x0
 04002   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04003   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 04004   460   NtReleaseSemaphore  (208, 1, ... 0, ) == 0x0
 04005   460   NtWaitForSingleObject  (208, 0, {0, 0}, ... ) == 0x0
 04006   460   NtClose  (408, ... ) == 0x0
 04007   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 04008   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04009   460   NtClose  (408, ... ) == 0x0
 04010   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 408, {status=0x0, info=1}, ) }, 3, 16417, ... 408, {status=0x0, info=1}, ) == 0x0
 04011   460   NtQueryDirectoryFile  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1,  (408, 0, 0, 0, 1237476, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 04012   460   NtClose  (408, ... ) == 0x0
 04013   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04014   460   NtOpenProcessToken  (-1, 0xc, ... 408, ) == 0x0
 04015   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 04016   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 04017   460   NtCreateKey  (0x2000000, {24, 404, 0x40, 0, 0,  (0x2000000, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 412, 2, ) }, 0, 0x0, 0, ... 412, 2, ) == 0x0
 04018   460   NtClose  (404, ... ) == 0x0
 04019   460   NtQueryValueKey  (412,  (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (412, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 04020   460   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 10944512, 4096, ) == 0x0
 04021   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04022   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04023   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 04024   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04025   460   NtClose  (404, ... ) == 0x0
 04026   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 04027   460   NtQueryValueKey  (404,  (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 04028   460   NtClose  (404, ... ) == 0x0
 04029   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04030   460   NtOpenKey  (0x1, {24, 48, 0x40, 0, 0,  (0x1, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 404, ) }, ... 404, ) == 0x0
 04031   460   NtQueryKey  (404, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 04032   460   NtQuerySecurityObject  (404, 7, 0, ... ) == STATUS_ACCESS_DENIED
 04033   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04034   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04035   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04036   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04037   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04038   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04039   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04040   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04041   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04042   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04043   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04044   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04045   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04046   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04047   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04048   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04049   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04050   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04051   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04052   460   NtEnumerateValueKey  (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (404, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 04053   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04054   460   NtEnumerateValueKey  (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (404, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 04055   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04056   460   NtEnumerateValueKey  (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (404, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 04057   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04058   460   NtEnumerateValueKey  (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (404, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 04059   460   NtEnumerateValueKey  (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (404, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 04060   460   NtEnumerateValueKey  (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (404, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 04061   460   NtEnumerateValueKey  (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (404, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 04062   460   NtEnumerateValueKey  (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (404, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 04063   460   NtEnumerateValueKey  (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (404, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 04064   460   NtEnumerateValueKey  (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (404, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 04065   460   NtEnumerateValueKey  (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04066   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04067   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04068   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 04069   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04070   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04071   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04072   460   NtEnumerateValueKey  (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (404, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 04073   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04074   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04075   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1236548, ... ) }, 1236548, ... ) == 0x0
 04076   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04077   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04078   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04079   460   NtClose  (404, ... ) == 0x0
 04080   460   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 404, ) }, ... 404, ) == 0x0
 04081   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "ActiveComputerName"}, ... 416, ) }, ... 416, ) == 0x0
 04082   460   NtQueryValueKey  (416,  (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (416, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 04083   460   NtClose  (416, ... ) == 0x0
 04084   460   NtClose  (404, ... ) == 0x0
 04085   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04086   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 04087   460   NtQueryValueKey  (404,  (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (404, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 04088   460   NtClose  (404, ... ) == 0x0
 04089   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 404, ) }, ... 404, ) == 0x0
 04090   460   NtQueryValueKey  (404,  (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 04091   460   NtClose  (404, ... ) == 0x0
 04092   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04093   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 404, ) }, ... 404, ) == 0x0
 04094   460   NtQueryValueKey  (404,  (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 04095   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04096   460   NtQueryValueKey  (404,  (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 04097   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04098   460   NtClose  (404, ... ) == 0x0
 04099   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04100   460   NtOpenKey  (0x20019, {24, 356, 0x40, 0, 0,  (0x20019, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 404, ) }, ... 404, ) == 0x0
 04101   460   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 04102   460   NtQueryInformationToken  (408, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 04103   460   NtDuplicateToken  (408, 0xc, {24, 0, 0x0, 0, 1237932, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 04104   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04105   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04106   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 04107   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04108   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04109   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236136,  (0xc0100080, {24, 0, 0x40, 0, 1236136, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 420, {status=0x0, info=1}, ) == 0x0
 04110   460   NtSetInformationFile  (420, 1236192, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04111   460   NtSetInformationFile  (420, 1236184, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04112   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04113   460   NtWriteFile  (420, 325, 0, 0,  (420, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04114   460   NtReadFile  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (420, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20G!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04115   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20G!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20G!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04116   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\210\354\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\224\343\22\0\1\0\0\0\210\354\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04117   460   NtFsControlFile  (420, 325, 0x0, 0x0, 0x11c017,  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (420, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\310~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04118   460   NtClose  (416, ... ) == 0x0
 04119   460   NtClose  (420, ... ) == 0x0
 04120   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04121   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 420, ) == 0x0
 04122   460   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 04123   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04124   460   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1236132,  (0xc0100080, {24, 0, 0x40, 0, 1236132, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 04125   460   NtSetInformationFile  (416, 1236188, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 04126   460   NtSetInformationFile  (416, 1236180, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 04127   460   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 04128   460   NtWriteFile  (416, 325, 0, 0,  (416, 325, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 04129   460   NtReadFile  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (416, 325, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 04130   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0X\343\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20H!\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 04131   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\210\354\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\220\343\22\0\1\0\0\0\210\354\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0o\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 04132   460   NtFsControlFile  (416, 325, 0x0, 0x0, 0x11c017,  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (416, 325, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\311~\217\303\310?\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\20\264\25\0\1\0\0\0\34\264\25\0 \0\0\0\1\0\0\0\16\0\20\0(\264\25\08\264\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\310\266\25\0\1\0\0\0\1\0\0\0\20\0\22\0\334\266\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 04133   460   NtClose  (420, ... ) == 0x0
 04134   460   NtClose  (416, ... ) == 0x0
 04135   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04136   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04137   460   NtQueryInformationToken  (408, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 04138   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 416, ) }, ... 416, ) == 0x0
 04139   460   NtQueryValueKey  (416,  (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (416, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 04140   460   NtClose  (416, ... ) == 0x0
 04141   460   NtCreateKey  (0x2001f, {24, 404, 0x40, 0, 0,  (0x2001f, {24, 404, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 04142   460   NtQueryValueKey  (416,  (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 04143   460   NtClose  (416, ... ) == 0x0
 04144   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04145   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04146   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1237836, ... ) }, 1237836, ... ) == 0x0
 04147   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237844,  (0x80100080, {24, 0, 0x40, 0, 1237844, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 416, {status=0x0, info=1}, ) == 0x0
 04148   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04149   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04150   460   NtQueryInformationFile  (416, 1237860, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04151   460   NtReadFile  (416, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 04152   460   NtClose  (416, ... ) == 0x0
 04153   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Environment"}, ... 416, ) }, ... 416, ) == 0x0
 04154   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04155   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04156   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04157   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04158   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04159   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04160   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 04161   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 04162   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04163   460   NtClose  (420, ... ) == 0x0
 04164   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 04165   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04166   460   NtClose  (420, ... ) == 0x0
 04167   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04168   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04169   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04170   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 04171   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04172   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04173   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1236576, ... ) }, 1236576, ... ) == 0x0
 04174   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 04175   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 04176   460   NtClose  (420, ... ) == 0x0
 04177   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 420, {status=0x0, info=1}, ) }, 3, 16417, ... 420, {status=0x0, info=1}, ) == 0x0
 04178   460   NtQueryDirectoryFile  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1,  (420, 0, 0, 0, 1235936, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 04179   460   NtClose  (420, ... ) == 0x0
 04180   460   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 04181   460   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 04182   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04183   460   NtEnumerateValueKey  (416, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04184   460   NtClose  (416, ... ) == 0x0
 04185   460   NtOpenKey  (0x20019, {24, 404, 0x40, 0, 0,  (0x20019, {24, 404, 0x40, 0, 0, "Volatile Environment"}, ... 416, ) }, ... 416, ) == 0x0
 04186   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04187   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04188   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04189   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04190   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04191   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04192   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04193   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04194   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04195   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04196   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04197   460   NtQueryVirtualMemory  (-1, 0xa70000, Basic, 28, ... {BaseAddress=0xa70000,AllocationBase=0xa70000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 04198   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04199   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04200   460   NtEnumerateValueKey  (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (416, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 04201   460   NtEnumerateValueKey  (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (416, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 04202   460   NtEnumerateValueKey  (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (416, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 04203   460   NtEnumerateValueKey  (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (416, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 04204   460   NtEnumerateValueKey  (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (416, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 04205   460   NtEnumerateValueKey  (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (416, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 04206   460   NtEnumerateValueKey  (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (416, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 04207   460   NtEnumerateValueKey  (416, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 04208   460   NtClose  (416, ... ) == 0x0
 04209   460   NtClose  (404, ... ) == 0x0
 04210   460   NtFreeVirtualMemory  (-1, (0xa70000), 0, 32768, ... (0xa70000), 4096, ) == 0x0
 04211   460   NtClose  (412, ... ) == 0x0
 04212   460   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1238500, ... ) }, 1238500, ... ) == 0x0
 04213   460   NtQueryInformationToken  (408, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 04214   460   NtOpenKey  (0x2001f, {24, 356, 0x40, 0, 0,  (0x2001f, {24, 356, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 412, ) }, ... 412, ) == 0x0
 04215   460   NtCreateKey  (0x2000000, {24, 412, 0x40, 0, 0,  (0x2000000, {24, 412, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 404, 2, ) }, 0, 0x0, 0, ... 404, 2, ) == 0x0
 04216   460   NtClose  (412, ... ) == 0x0
 04217   460   NtSetValueKey  (404,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (404, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 04218   460   NtClose  (404, ... ) == 0x0
 04219   460   NtClose  (408, ... ) == 0x0
 04220   460   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 04221   460   NtWaitForSingleObject  (196, 0, 0x0, ... ) == 0x0
 04222   460   NtQueryInformationFile  (192, 1239548, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 04223   460   NtReleaseMutant  (196, ... 0x0, ) == 0x0
 04224   460   NtReleaseMutant  (240, ... 0x0, ) == 0x0
 04225   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 04226   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 04227   460   NtWaitForSingleObject  (104, 0, {0, 0}, ... ) == 0x102
 04228   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 04229   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 04230   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1237688, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 04231   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0x\352\25\0X\324\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1648, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0x\352\25\0X\324\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1648, 0}  (404, {128, 152, new_msg, 0, 123020, 1310720, 1237452, 2012750850} "\0\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w\0\355\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0x\352\25\0X\324\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1648, 0} "\7\350\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\17\0x\352\25\0X\324\25\0\0\0\0\0f\0\0\03\0\0\0l\351\22\0\0\0\0\0\0\0\22\0h\342\22\0\240P\25\0\224\345\22\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 04232   460   NtRequestWaitReplyPort  (404, {112, 136, new_msg, 0, 44, 3, 20, 0}  (404, {112, 136, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\11\0\310?\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\254\263\25\0\26\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0d\0e\0b\0e\0l\0i\0z\0o\0m\0b\0i\0.\0c\0o\0m\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 03984   876   NtWaitForSingleObject  ... ) == 0x0
 04233   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=95}, 0x0, ) , 16, 0, ... {status=0x103, info=95}, 0x0, ) == 0x103
 04234   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ...
 04232   460   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 456, 460, 1649, 0}  ... {44, 68, reply, 0, 456, 460, 1649, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\264\5\0\0\1\0\0\0" )  ) == 0x0
 04235   460   NtClose  (408, ... ) == 0x0
 04236   460   NtClose  (404, ... ) == 0x0
 04237   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 404, {status=0x0, info=0}, ) == 0x0
 04238   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 408, ) == 0x0
 04239   460   NtDeviceIoControlFile  (404, 408, 0x0, 0x0, 0xf14014,  (404, 408, 0x0, 0x0, 0xf14014, "\3\0\0\0srv01.debelizombi.com\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 04240   460   NtClose  (408, ... ) == 0x0
 04241   460   NtClose  (404, ... ) == 0x0
 04242   460   NtClearEvent  (376, ... ) == 0x0
 04243   460   NtSetEvent  (376, ... 0x0, ) == 0x0
 04244   460   NtClose  (376, ... ) == 0x0
 04245   460   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1242800,  (0x80100080, {24, 0, 0x40, 0, 1242800, "\??\C:\WINDOWS\imon.cfg"}, 0x0, 0, 1, 1, 96, 0, 0, ... ) }, 0x0, 0, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04246   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 04247   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 04248   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1239612, 112, ... 404, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1239612, 112, ... 404, 0x0, 0x0, 0x0, 112, ) == 0x0
 04249   460   NtRequestWaitReplyPort  (404, {128, 152, new_msg, 0, 1310720, 124944, 1310720, 1239376}  (404, {128, 152, new_msg, 0, 1310720, 124944, 1310720, 1239376} "\0$\370w\0\360\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\336\25\0\4\0\0\0\210\336\25\0\20\344\314w\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\0\245\25\0\350\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1652, 0} "\7$\370w\0\360\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\336\25\0\377\377\377\377\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\0\245\25\0\350\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1652, 0}  (404, {128, 152, new_msg, 0, 1310720, 124944, 1310720, 1239376} "\0$\370w\0\360\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\336\25\0\4\0\0\0\210\336\25\0\20\344\314w\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\0\245\25\0\350\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1652, 0} "\7$\370w\0\360\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\336\25\0\377\377\377\377\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\20\0\0\245\25\0\350\263\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0" )  ) == 0x0
 04250   460   NtRequestWaitReplyPort  (404, {64, 88, new_msg, 0, 456, 460, 1649, 0}  (404, {64, 88, new_msg, 0, 456, 460, 1649, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1653, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 460, 1653, 0}  (404, {64, 88, new_msg, 0, 456, 460, 1649, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\26\0\0\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1653, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04251   460   NtClose  (376, ... ) == 0x0
 04252   460   NtClose  (404, ... ) == 0x0
 04253   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) , 0, ... 404, 2, ) == 0x0
 04254   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 04255   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04256   460   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04257   460   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04258   460   NtClose  (404, ... ) == 0x0
 04259   460   NtClose  (376, ... ) == 0x0
 04260   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 04261   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04262   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04263   460   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04264   460   NtQueryValueKey  (376,  (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04265   460   NtClose  (376, ... ) == 0x0
 04266   460   NtClose  (404, ... ) == 0x0
 04267   460   NtWaitForSingleObject  (112, 0, {0, 0}, ... ) == 0x102
 04268   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 04269   460   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1239412, 112, ... 376, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1239412, 112, ... 376, 0x0, 0x0, 0x0, 112, ) == 0x0
 04270   460   NtRequestWaitReplyPort  (376, {128, 152, new_msg, 0, 1310720, 124744, 1310720, 1239176}  (376, {128, 152, new_msg, 0, 1310720, 124744, 1310720, 1239176} "\0$\370w8\357\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\336\25\0\4\0\0\0\210\336\25\0\20\344\314w\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\0\245\25\0\360\264\25\0\0\0\0\0\370\353\22\0\250\353\22\0\230\355\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1656, 0} "\7$\370w8\357\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\336\25\0\377\377\377\377\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\0\245\25\0\360\264\25\0\0\0\0\0\370\353\22\0\250\353\22\0\230\355\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ... {128, 152, reply, 0, 456, 460, 1656, 0}  (376, {128, 152, new_msg, 0, 1310720, 124744, 1310720, 1239176} "\0$\370w8\357\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210\336\25\0\4\0\0\0\210\336\25\0\20\344\314w\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\0\245\25\0\360\264\25\0\0\0\0\0\370\353\22\0\250\353\22\0\230\355\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" ... {128, 152, reply, 0, 456, 460, 1656, 0} "\7$\370w8\357\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210\336\25\0\377\377\377\377\210\336\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\21\0\0\245\25\0\360\264\25\0\0\0\0\0\370\353\22\0\250\353\22\0\230\355\22\0\0\0\0\0\0\0\25\0\377\377\377\377\365\26\365w\0\0\0\0\13\30\365w\5\0\0\0" )  ) == 0x0
 04271   460   NtRequestWaitReplyPort  (376, {64, 88, new_msg, 0, 456, 460, 1653, 0}  (376, {64, 88, new_msg, 0, 456, 460, 1653, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1657, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 456, 460, 1657, 0}  (376, {64, 88, new_msg, 0, 456, 460, 1653, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0s\0r\0v\00\01\0.\0" ... {52, 76, reply, 0, 456, 460, 1657, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 04272   460   NtClose  (404, ... ) == 0x0
 04273   460   NtClose  (376, ... ) == 0x0
 04274   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 376, 2, ) , 0, ... 376, 2, ) == 0x0
 04275   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 404, ) }, ... 404, ) == 0x0
 04276   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04277   460   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04278   460   NtQueryValueKey  (376,  (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 04279   460   NtClose  (376, ... ) == 0x0
 04280   460   NtClose  (404, ... ) == 0x0
 04281   460   NtCreateKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) }, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 404, 2, ) , 0, ... 404, 2, ) == 0x0
 04282   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 376, ) }, ... 376, ) == 0x0
 04283   460   NtOpenKey  (0x20019, {24, 48, 0x40, 0, 0,  (0x20019, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 04284   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04285   460   NtQueryValueKey  (404,  (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (404, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 04286   460   NtClose  (404, ... ) == 0x0
 04287   460   NtClose  (376, ... ) == 0x0
 04288   460   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 376, {status=0x0, info=0}, ) == 0x0
 04289   460   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 04290   460   NtDeviceIoControlFile  (376, 404, 0x0, 0x0, 0xf14014,  (376, 404, 0x0, 0x0, 0xf14014, "\3\0\0\0MYWORLD\0\231%\362v\2\0\0\200\330\304\362v\0\0\0\0\360\356\22\0O\345\367w{\30\335w\0\0\0\0\300.\24\0\0\0\24\0\200\23\25\0\0\0\0\0\0\360\22\0\277\37\365w\0\0\24\0\203 \365w\10\6\24\0\215\26\365w\0\0\0\0\260\27\25\0\260\31\25\0\24\232\347w\23\30\26\0\250\336\25\0\266\336\25\0\24\30\25\0\377\377\0\0\0\0\0\0\24\30\25\0\7\0\0\0\250\336\25\0\254\357\22\0\177;\245q\0\0\0\0\0\0\0\0\250\336\25\0\0\0\0\0\24\30\25\0\377\377\0\0\1\0\0\0\210\1\24\0\210\23\25\0\4\0\0\0\0\0\0\0\210\1\24\0\200\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\10\30\25\0\364\27\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\260\31\1\1\0\0\24\0D\357\22\0$\364\22\0\274\373\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\260\31\25\0\240\305\25\0\310\266\25\0\340\266\25\0\250\336\25\0\266\336\25\0\24\30\25\0\377\377\0\0\0\0\0\0\24\30\25\0\7\0\0\0\250\336\25\0t\360\22\0\177;\245q\0\0\0\0\0\0\0\0\250\336\25\0\0\0\0\0\24\30\25\0\377\377\0\0\1\0\0\0\210\1\24\0x\23\25\0\4\0\0\0\0\0\0\0\210\1\24\0p\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\365<\245q\10\30\25\0\364\27\25\0\2\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\30*\1\1\0\0\24\0\14\360\22\0\354\364\22\0\274\373\22\0\2$\370w\370T\367wa/\245q\2642\250q\0\0\0\0\0\0\0\0:/\245q\30*\25\0\340\260\25\0\310\266\25\0", 1552, 0, ... {status=0x0, info=0}, 0x0, ) , 1552, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 04291   460   NtClose  (404, ... ) == 0x0
 04292   460   NtClose  (376, ... ) == 0x0
 04293   460   NtUserGetMessage  (0, 0, 0, ...
 04234   876   NtWaitForSingleObject  ... ) == 0x0
 04294   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04295   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04296   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04297   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04298   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04299   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04300   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04301   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04302   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04303   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04304   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04305   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04306   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04307   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04308   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04309   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04310   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04311   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04312   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04313   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04314   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04315   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04316   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04317   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04318   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04319   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04320   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04321   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04322   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04323   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04324   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04325   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04326   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04327   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04328   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04329   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04330   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04331   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04332   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04333   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04334   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04335   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04336   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04337   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04338   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04339   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04340   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04341   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04342   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04343   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04344   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04345   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04346   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04347   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04348   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04349   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04350   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04351   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04352   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04353   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04354   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04355   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04356   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04357   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04358   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04359   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04360   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04361   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04362   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04363   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04364   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04365   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04366   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04367   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04368   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04369   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04370   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04371   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04372   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04373   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04374   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04375   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04376   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04377   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04378   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04379   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04380   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04381   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04382   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04383   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04384   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04385   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04386   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04387   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04388   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04389   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04390   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04391   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04392   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04393   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04394   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04395   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04396   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04397   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04398   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04399   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04400   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04401   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04402   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04403   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04404   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04405   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04406   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04407   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04408   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04409   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04410   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04411   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04412   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04413   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04414   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04415   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04416   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04417   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04418   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04419   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04420   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04421   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04422   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04423   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04424   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04425   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04426   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04427   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04428   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04429   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04430   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04431   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04432   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04433   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04434   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04435   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04436   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04437   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04438   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04439   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04440   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04441   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04442   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04443   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04444   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04445   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04446   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04447   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04448   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04449   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04450   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04451   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04452   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04453   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04454   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04455   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04456   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04457   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04458   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04459   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04460   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04461   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04462   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04463   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04464   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04465   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04466   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04467   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04468   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04469   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04470   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04471   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04472   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04473   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04474   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04475   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04476   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04477   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04478   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04479   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04480   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04481   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04482   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04483   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04484   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04485   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04486   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04487   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04488   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04489   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04490   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04491   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04492   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04493   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04494   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04495   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04496   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04497   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04498   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04499   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04500   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04501   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04502   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04503   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04504   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04505   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04506   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04507   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04508   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04509   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04510   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04511   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04512   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04513   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04514   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04515   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04516   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04517   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04518   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04519   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04520   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04521   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04522   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04523   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04524   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04525   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04526   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04527   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04528   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04529   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04530   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04531   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04532   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04533   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04534   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04535   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04536   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04537   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04538   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04539   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04540   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04541   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04542   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04543   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04544   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04545   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04546   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04547   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04548   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04549   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04550   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04551   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04552   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04553   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04554   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04555   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04556   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04557   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04558   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04559   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04560   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04561   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04562   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04563   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04564   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04565   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04566   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04567   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04568   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04569   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04570   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04571   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04572   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04573   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04574   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04575   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04576   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04577   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04578   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04579   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04580   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04581   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04582   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04583   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04584   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04585   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04586   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04587   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04588   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04589   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04590   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04591   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04592   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04593   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04594   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04595   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04596   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04597   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04598   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04599   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04600   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04601   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04602   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04603   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04604   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04605   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04606   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04607   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04608   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04609   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04610   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04611   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04612   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04613   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04614   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04615   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04616   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04617   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04618   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04619   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04620   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04621   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04622   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04623   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04624   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04625   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04626   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04627   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04628   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04629   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04630   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04631   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04632   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04633   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04634   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04635   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04636   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04637   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04638   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04639   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04640   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04641   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04642   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04643   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04644   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04645   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04646   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04647   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04648   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04649   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04650   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04651   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04652   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04653   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04654   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04655   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04656   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04657   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04658   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04659   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04660   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04661   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04662   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04663   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04664   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04665   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04666   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04667   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04668   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04669   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04670   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04671   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04672   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04673   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04674   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04675   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04676   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04677   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04678   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04679   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04680   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04681   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04682   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04683   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04684   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04685   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04686   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04687   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04688   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04689   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04690   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04691   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04692   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04693   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04694   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04695   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04696   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04697   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04698   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04699   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04700   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04701   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04702   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04703   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04704   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04705   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04706   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04707   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04708   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04709   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04710   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04711   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04712   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04713   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04714   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04715   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04716   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04717   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04718   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04719   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04720   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04721   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04722   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04723   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04724   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04725   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04726   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04727   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04728   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04729   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04730   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04731   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04732   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04733   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04734   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04735   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04736   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04737   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04738   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04739   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04740   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04741   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04742   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04743   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04744   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04745   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04746   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04747   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04748   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04749   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04750   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04751   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04752   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04753   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04754   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04755   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04756   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04757   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04758   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04759   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04760   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04761   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04762   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04763   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04764   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04765   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04766   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04767   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04768   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04769   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04770   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04771   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04772   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04773   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04774   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04775   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04776   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04777   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04778   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04779   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04780   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04781   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04782   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04783   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04784   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04785   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04786   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04787   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04788   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04789   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04790   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04791   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04792   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04793   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04794   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04795   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04796   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04797   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04798   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04799   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04800   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04801   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04802   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04803   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04804   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04805   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04806   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04807   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04808   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04809   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04810   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04811   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04812   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04813   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04814   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04815   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04816   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04817   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04818   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04819   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04820   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04821   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04822   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04823   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04824   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04825   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04826   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04827   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04828   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04829   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04830   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04831   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04832   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04833   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04834   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04835   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04836   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04837   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04838   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04839   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04840   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04841   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04842   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04843   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04844   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04845   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04846   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04847   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04848   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04849   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04850   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04851   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04852   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04853   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04854   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04855   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04856   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04857   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04858   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04859   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04860   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04861   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04862   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04863   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04864   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04865   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04866   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04867   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04868   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04869   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04870   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04871   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04872   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04873   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04874   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04875   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04876   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04877   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04878   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04879   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04880   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04881   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04882   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04883   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04884   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04885   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04886   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04887   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04888   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04889   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04890   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04891   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04892   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04893   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04894   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04895   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04896   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04897   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04898   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04899   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04900   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04901   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04902   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04903   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04904   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04905   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04906   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04907   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04908   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04909   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04910   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04911   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04912   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04913   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04914   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04915   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04916   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04917   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04918   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04919   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04920   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04921   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04922   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04923   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
 04924   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x0, info=91}, 0x0, ) , 16, 0, ... {status=0x0, info=91}, 0x0, ) == 0x0
 04925   876   NtDeviceIoControlFile  (144, 140, 0x0, 0x0, 0x12017,  (144, 140, 0x0, 0x0, 0x12017, "\240\372\237\0\1\0\0\0\0\0\0\0 \0\0\0", 16, 0, ... {status=0x103, info=91}, 0x0, ) , 16, 0, ... {status=0x103, info=91}, 0x0, ) == 0x103
 04926   876   NtWaitForSingleObject  (140, 1, {-5000000, -1}, ... ) == 0x0
NtAccessCheck(>)	1	NtGdiCreateSolidBrush(>)	2	NtFlushInstructionCache(>)	10	NtQueryInformationFile(>)	44
NtAddAtom(>)	1	NtGdiHfontCreate(>)	2	NtUserGetWindowDC(>)	10	NtFsControlFile(>)	45
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtClearEvent(>)	11	NtOpenSection(>)	45
NtCreateThread(>)	1	NtQueryInstallUILanguage(>)	2	NtQueryVolumeInformationFile(>)	11	NtOpenThreadToken(>)	45
NtGdiCreateBitmap(>)	1	NtRegisterThreadTerminatePort(>)	2	NtUserCallOneParam(>)	11	NtQueryInformationToken(>)	48
NtGdiCreatePatternBrushInternal(>)	1	NtTestAlert(>)	2	NtUserSystemParametersInfo(>)	11	NtUserFindExistingCursorIcon(>)	48
NtGdiInit(>)	1	NtUserCreateWindowEx(>)	2	NtCreateSemaphore(>)	12	NtSetInformationFile(>)	51
NtGdiQueryFontAssocInfo(>)	1	NtUserGetObjectInformation(>)	2	NtEnumerateKey(>)	12	NtSetInformationProcess(>)	51
NtGdiSelectBitmap(>)	1	NtUserMessageCall(>)	2	NtOpenProcessToken(>)	12	NtQueryInformationProcess(>)	54
NtOpenKeyedEvent(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQueryDefaultUILanguage(>)	12	NtRequestWaitReplyPort(>)	54
NtOpenProcess(>)	1	NtQuerySystemTime(>)	3	NtSetEvent(>)	12	NtAllocateVirtualMemory(>)	55
NtOpenSymbolicLinkObject(>)	1	NtUserGetMessage(>)	3	NtOpenProcessTokenEx(>)	16	NtReleaseMutant(>)	57
NtQueryEvent(>)	1	NtUserRegisterWindowMessage(>)	4	NtOpenThreadTokenEx(>)	16	NtUserRegisterClassExWOW(>)	64
NtQueryInformationThread(>)	1	NtDuplicateToken(>)	5	NtWriteFile(>)	16	NtMapViewOfSection(>)	65
NtQueryObject(>)	1	NtGdiGetStockObject(>)	5	NtConnectPort(>)	18	NtCreateEvent(>)	66
NtQuerySymbolicLinkObject(>)	1	NtNotifyChangeKey(>)	5	NtQuerySection(>)	19	NtCreateKey(>)	79
NtQueryTimerResolution(>)	1	NtQuerySecurityObject(>)	5	NtReadFile(>)	19	NtQueryDefaultLocale(>)	99
NtResumeThread(>)	1	NtSetInformationObject(>)	5	NtUnmapViewOfSection(>)	21	NtOpenFile(>)	108
NtSecureConnectPort(>)	1	NtCreateMutant(>)	6	NtProtectVirtualMemory(>)	25	NtQueryAttributesFile(>)	134
NtUserGetDC(>)	1	NtDuplicateObject(>)	6	NtQuerySystemInformation(>)	25	NtQueryVirtualMemory(>)	147
NtUserGetGUIThreadInfo(>)	1	NtFreeVirtualMemory(>)	6	NtQueryDirectoryFile(>)	28	NtEnumerateValueKey(>)	231
NtUserGetProcessWindowStation(>)	1	NtOpenEvent(>)	7	NtQueryDebugFilterState(>)	29	NtOpenKey(>)	326
NtUserGetThreadDesktop(>)	1	NtReleaseSemaphore(>)	7	NtSetInformationThread(>)	29	NtQueryValueKey(>)	525
NtUserSetProp(>)	1	NtUserCallNoParam(>)	7	NtCreateSection(>)	34	NtWaitForSingleObject(>)	546
NtUserSetTimer(>)	1	NtQueryKey(>)	8	NtUserGetClassInfo(>)	37	NtClose(>)	567
NtContinue(>)	2	NtDeleteValueKey(>)	9	NtSetValueKey(>)	41	NtDeviceIoControlFile(>)	757
NtCreateIoCompletion(>)	2	NtOpenMutant(>)	9	NtCreateFile(>)	42