Summary:


NtAccessCheck(>)  1 
NtCreateIoCompletion(>)  2 
NtFlushInstructionCache(>)  11 
NtQueryInformationToken(>)  44 

NtAddAtom(>)  1 
NtGdiCreateSolidBrush(>)  2 
NtEnumerateKey(>)  12 
NtSetInformationThread(>)  44 

NtCallbackReturn(>)  1 
NtOpenDirectoryObject(>)  2 
NtOpenProcessToken(>)  12 
NtFsControlFile(>)  45 

NtContinue(>)  1 
NtQueryInstallUILanguage(>)  2 
NtOpenProcessTokenEx(>)  12 
NtOpenThreadToken(>)  45 

NtGdiCreateBitmap(>)  1 
NtTerminateProcess(>)  2 
NtOpenThreadTokenEx(>)  12 
NtUserUnregisterClass(>)  46 

NtGdiInit(>)  1 
NtDeleteValueKey(>)  3 
NtQueryDefaultUILanguage(>)  12 
NtUserFindExistingCursorIcon(>)  48 

NtGdiQueryFontAssocInfo(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtSetEvent(>)  13 
NtSetInformationProcess(>)  50 

NtGdiSelectBitmap(>)  1 
NtWaitForMultipleObjects(>)  3 
NtWriteFile(>)  14 
NtQueryInformationProcess(>)  54 

NtOpenKeyedEvent(>)  1 
NtDuplicateObject(>)  4 
NtDeviceIoControlFile(>)  19 
NtCreateEvent(>)  55 

NtOpenProcess(>)  1 
NtNotifyChangeKey(>)  4 
NtReadFile(>)  19 
NtOpenSection(>)  55 

NtOpenSymbolicLinkObject(>)  1 
NtUserRegisterWindowMessage(>)  4 
NtProtectVirtualMemory(>)  22 
NtCreateKey(>)  57 

NtQueryEvent(>)  1 
NtDuplicateToken(>)  5 
NtQueryInformationFile(>)  22 
NtWaitForSingleObject(>)  59 

NtQueryObject(>)  1 
NtGdiGetStockObject(>)  5 
NtUnmapViewOfSection(>)  22 
NtUserRegisterClassExWOW(>)  63 

NtQuerySymbolicLinkObject(>)  1 
NtQuerySecurityObject(>)  5 
NtRequestWaitReplyPort(>)  25 
NtMapViewOfSection(>)  70 

NtQuerySystemTime(>)  1 
NtSetInformationObject(>)  5 
NtSetValueKey(>)  27 
NtUserGetClassInfo(>)  82 

NtQueryTimerResolution(>)  1 
NtConnectPort(>)  7 
NtQueryDebugFilterState(>)  29 
NtOpenFile(>)  101 

NtRegisterThreadTerminatePort(>)  1 
NtOpenEvent(>)  7 
NtQueryDirectoryFile(>)  29 
NtAllocateVirtualMemory(>)  109 

NtSecureConnectPort(>)  1 
NtReleaseSemaphore(>)  7 
NtQuerySystemInformation(>)  29 
NtQueryAttributesFile(>)  146 

NtTestAlert(>)  1 
NtClearEvent(>)  8 
NtQuerySection(>)  31 
NtQueryVirtualMemory(>)  197 

NtUserCallNoParam(>)  1 
NtCreateMutant(>)  8 
NtFreeVirtualMemory(>)  35 
NtEnumerateValueKey(>)  231 

NtUserCallOneParam(>)  1 
NtQueryKey(>)  8 
NtReleaseMutant(>)  35 
NtOpenKey(>)  291 

NtUserGetDC(>)  1 
NtQueryVolumeInformationFile(>)  8 
NtCreateFile(>)  40 
NtQueryValueKey(>)  471 

NtUserGetObjectInformation(>)  1 
NtOpenMutant(>)  9 
NtQueryDefaultLocale(>)  40 
NtClose(>)  553 

NtUserGetProcessWindowStation(>)  1 
NtUserSystemParametersInfo(>)  10 
NtSetInformationFile(>)  41 

NtUserGetThreadDesktop(>)  1 
NtCreateSemaphore(>)  11 

Trace:
 00001   468   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002   468   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00003   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00004   468   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00005   468   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00006   468   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00007   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00008   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00009   468   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00010   468   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00011   468   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00012   468   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00013   468   NtClose  (12, ... ) == 0x0
 00014   468   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\U:\startupscripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00015   468   NtQueryVolumeInformationFile  (12, 1243848, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00016   468   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... ) == STATUS_INVALID_PARAMETER
 00017   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243832, ... ) }, 1243832, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019   468   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e60000), 0x0, 937984, ) == 0x0
 00020   468   NtClose  (16, ... ) == 0x0
 00021   468   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00022   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00023   468   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00024   468   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1242016, 44, ... 24, {24, 16, 0, 65536, 2424832, 18481152}, {0, 0, 0}, 200, 44, ) == 0x0
 00025   468   NtClose  (16, ... ) == 0x0
 00026   468   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00027   468   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00028   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00029   468   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00030   468   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00031   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 0, 0, 0, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 468, 1526, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ... {28, 56, reply, 0, 464, 468, 1526, 0}  (24, {28, 56, new_msg, 0, 0, 0, 0, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" ... {28, 56, reply, 0, 464, 468, 1526, 0} "\330\375\26\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\32\1\4\0\0\0" )  ) == 0x0
 00032   468   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00033   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00034   468   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00035   468   NtClose  (16, ... ) == 0x0
 00036   468   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00037   468   NtOpenMutant  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\NlsCacheMutant"}, ... 16, ) }, ... 16, ) == 0x0
 00038   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 28, ) }, ... 28, ) == 0x0
 00039   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00040   468   NtClose  (28, ... ) == 0x0
 00041   468   NtQueryDefaultLocale  (0, 2012046252, ... ) == 0x0
 00042   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 28, ) }, ... 28, ) == 0x0
 00043   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 212992, ) == 0x0
 00044   468   NtClose  (28, ... ) == 0x0
 00045   468   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 28, ) }, ... 28, ) == 0x0
 00046   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00047   468   NtQuerySection  (28, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00048   468   NtClose  (28, ... ) == 0x0
 00049   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 28, ) }, ... 28, ) == 0x0
 00050   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00051   468   NtClose  (28, ... ) == 0x0
 00052   468   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00053   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00054   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00055   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 468, 1549, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ... {28, 56, reply, 0, 464, 468, 1549, 0}  (24, {28, 56, new_msg, 0, 2012558373, 2012047104, 2013025280, 0} "\210\6\32\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" ... {28, 56, reply, 0, 464, 468, 1549, 0} "\10\260\27\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\32\18\6\0\0" )  ) == 0x0
 00056   468   NtProtectVirtualMemory  (-1, (0x402000), 112, 4, ... (0x402000), 4096, 2, ) == 0x0
 00057   468   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00058   468   NtFlushInstructionCache  (-1, 4202496, 112, ... ) == 0x0
 00059   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USER32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00060   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77d40000), 0x0, 577536, ) == 0x0
 00061   468   NtClose  (28, ... ) == 0x0
 00062   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00063   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c70000), 0x0, 262144, ) == 0x0
 00064   468   NtClose  (28, ... ) == 0x0
 00065   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00066   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 569344, ) == 0x0
 00067   468   NtClose  (28, ... ) == 0x0
 00068   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00069   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77cc0000), 0x0, 479232, ) == 0x0
 00070   468   NtClose  (28, ... ) == 0x0
 00071   468   NtProtectVirtualMemory  (-1, (0x402000), 112, 4, ... (0x402000), 4096, 2, ) == 0x0
 00072   468   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00073   468   NtFlushInstructionCache  (-1, 4202496, 112, ... ) == 0x0
 00074   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SHLWAPI.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00075   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x772d0000), 0x0, 405504, ) == 0x0
 00076   468   NtClose  (28, ... ) == 0x0
 00077   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00078   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 339968, ) == 0x0
 00079   468   NtClose  (28, ... ) == 0x0
 00080   468   NtProtectVirtualMemory  (-1, (0x402000), 112, 4, ... (0x402000), 4096, 2, ) == 0x0
 00081   468   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00082   468   NtFlushInstructionCache  (-1, 4202496, 112, ... ) == 0x0
 00083   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WSOCK32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00084   468   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00085   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00086   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00087   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.dll"}, 1242624, ... ) }, 1242624, ... ) == 0x0
 00088   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WSOCK32.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00089   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00090   468   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00091   468   NtOpenProcessToken  (-1, 0x8, ... 36, ) == 0x0
 00092   468   NtQueryInformationToken  (36, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00093   468   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00094   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0
 00095   468   NtQueryValueKey  (40,  (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (40, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00096   468   NtClose  (40, ... ) == 0x0
 00097   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00098   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 40, ) == 0x0
 00099   468   NtQueryInformationToken  (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00100   468   NtClose  (40, ... ) == 0x0
 00101   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00102   468   NtClose  (36, ... ) == 0x0
 00103   468   NtClose  (28, ... ) == 0x0
 00104   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ad0000), 0x0, 32768, ) == 0x0
 00105   468   NtClose  (32, ... ) == 0x0
 00106   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00109   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 1241820, ... ) }, 1241820, ... ) == 0x0
 00110   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2_32.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0
 00111   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 32, ... 28, ) == 0x0
 00112   468   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00113   468   NtClose  (32, ... ) == 0x0
 00114   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 86016, ) == 0x0
 00115   468   NtClose  (28, ... ) == 0x0
 00116   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00117   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00118   468   NtQueryAttributesFile  ({24, 12, 0x40, 0, 0,  ({24, 12, 0x40, 0, 0, "WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00119   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 1241016, ... ) }, 1241016, ... ) == 0x0
 00120   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WS2HELP.dll"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00121   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 28, ... 32, ) == 0x0
 00122   468   NtQuerySection  (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00123   468   NtClose  (28, ... ) == 0x0
 00124   468   NtMapViewOfSection  (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00125   468   NtClose  (32, ... ) == 0x0
 00126   468   NtProtectVirtualMemory  (-1, (0x402000), 112, 4, ... (0x402000), 4096, 2, ) == 0x0
 00127   468   NtProtectVirtualMemory  (-1, (0x402000), 4096, 2, ... (0x402000), 4096, 4, ) == 0x0
 00128   468   NtFlushInstructionCache  (-1, 4202496, 112, ... ) == 0x0
 00129   468   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130   468   NtQueryInformationToken  (32, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00131   468   NtClose  (32, ... ) == 0x0
 00132   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00133   468   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134   468   NtClose  (32, ... ) == 0x0
 00135   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 32, ) }, ... 32, ) == 0x0
 00136   468   NtQueryValueKey  (32,  (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00137   468   NtQueryValueKey  (32,  (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (32, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00138   468   NtClose  (32, ... ) == 0x0
 00139   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 32, ) }, ... 32, ) == 0x0
 00140   468   NtQueryValueKey  (32,  (32, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00141   468   NtClose  (32, ... ) == 0x0
 00142   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 32, ) }, ... 32, ) == 0x0
 00143   468   NtSetInformationObject  (32, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 00144   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00145   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00146   468   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 468, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" )  ... {28, 56, reply, 0, 464, 468, 1567, 0}  (24, {28, 56, new_msg, 0, 1246456, 1, 24, 2012568566} "\210\6\32\1\0\0\0\0\314\4\23\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" ... {28, 56, reply, 0, 464, 468, 1567, 0} "XQ\26\0\0\0\0\0\0\0\0\0\324Wh\364\3\0\0\0\234\6\32\1$\1\0\0" )  ) == 0x0
 00147   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00148   468   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1060864, ) == 0x0
 00149   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 36, ) == 0x0
 00150   468   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00151   468   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482032, ) == 0x0
 00152   468   NtQueryInformationToken  (-2147482032, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00153   468   NtQueryInformationToken  (-2147482032, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00154   468   NtClose  (-2147482032, ... ) == 0x0
 00155   468   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 4128768, 4096, ) == 0x0
 00156   468   NtFreeVirtualMemory  (-1, (0x3f0000), 4096, 32768, ... (0x3f0000), 4096, ) == 0x0
 00157   468   NtDuplicateObject  (-1, 40, -1, 0x0, 0, 2, ... 48, ) == 0x0
 00158   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00159   468   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00160   468   NtClose  (-2147482032, ... ) == 0x0
 00161   468   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00162   468   NtQueryValueKey  (-2147482032,  (-2147482032, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00163   468   NtClose  (-2147482032, ... ) == 0x0
 00164   468   NtQueryDefaultLocale  (0, -136148468, ... ) == 0x0
 00165   468   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00166   468   NtUserCallNoParam  (24, ... ) == 0x0
 00167   468   NtGdiCreateCompatibleDC  (0, ...
 00168   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 4128768, 4096, ) == 0x0
 00167   468   NtGdiCreateCompatibleDC  ... ) == 0xe010451
 00169   468   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00170   468   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00171   468   NtGdiCreateBitmap  (8, 8, 1, 1, 2010393708, ... ) == 0xb050458
 00172   468   NtGdiCreateSolidBrush  (0, 0, ...
 00173   468   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8519680, 4096, ) == 0x0
 00172   468   NtGdiCreateSolidBrush  ... ) == 0x810045b
 00174   468   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00175   468   NtGdiCreateCompatibleDC  (0, ... ) == 0x601045c
 00176   468   NtGdiSelectBitmap  (100729948, 184878168, ... ) == 0x185000f
 00177   468   NtUserGetThreadDesktop  (468, 0, ... ) == 0x2c
 00178   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 52, ) }, ... 52, ) == 0x0
 00179   468   NtQueryValueKey  (52,  (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (52, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00180   468   NtClose  (52, ... ) == 0x0
 00181   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00182   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 673, 128, 0, ... ) == 0x810cc017
 00183   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00184   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 674, 128, 0, ... ) == 0x810cc01c
 00185   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00186   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 675, 128, 0, ... ) == 0x810cc01e
 00187   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00188   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 676, 128, 0, ... ) == 0x810c8002
 00189   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10013
 00190   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 677, 128, 0, ... ) == 0x810cc018
 00191   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00192   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 678, 128, 0, ... ) == 0x810cc01a
 00193   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00194   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 679, 128, 0, ... ) == 0x810cc01d
 00195   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00196   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 681, 128, 0, ... ) == 0x810cc026
 00197   468   NtUserFindExistingCursorIcon  (1241204, 1241220, 1241788, ... ) == 0x10011
 00198   468   NtUserRegisterClassExWOW  (1241724, 1241804, 1241788, 1241820, 680, 128, 0, ... ) == 0x810cc019
 00199   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc020
 00200   468   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc022
 00201   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ... ) == 0x810cc023
 00202   468   NtUserRegisterClassExWOW  (1241676, 1241752, 1241768, 1241740, 0, 130, 0, ... ) == 0x810cc024
 00203   468   NtUserRegisterClassExWOW  (1241676, 1241756, 1241740, 1241772, 0, 128, 0, ...
 00204   468   NtAllocateVirtualMemory  (-1, 5484544, 0, 4096, 4096, 32, ... 5484544, 4096, ) == 0x0
 00203   468   NtUserRegisterClassExWOW  ... ) == 0x810cc025
 00205   468   NtCallbackReturn  (0, 0, 0, ...
 00206   468   NtGdiInit  (... ) == 0x1
 00207   468   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00208   468   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00209   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00210   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8585216, 65536, ) == 0x0
 00211   468   NtAllocateVirtualMemory  (-1, 8585216, 0, 4096, 4096, 4, ... 8585216, 4096, ) == 0x0
 00212   468   NtAllocateVirtualMemory  (-1, 8589312, 0, 8192, 4096, 4, ... 8589312, 8192, ) == 0x0
 00213   468   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 52, ) }, ... 52, ) == 0x0
 00214   468   NtMapViewOfSection  (52, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x840000), 0x0, 12288, ) == 0x0
 00215   468   NtClose  (52, ... ) == 0x0
 00216   468   NtAllocateVirtualMemory  (-1, 8597504, 0, 4096, 4096, 4, ... 8597504, 4096, ) == 0x0
 00217   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00218   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00219   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00220   468   NtTestAlert  (... ) == 0x0
 00221   468   NtContinue  (1244464, 1, ...
 00222   468   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x401327,}, 4, ... ) == 0x0
 00223   468   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 33, ... 52, {status=0x0, info=1}, ) }, 3, 33, ... 52, {status=0x0, info=1}, ) == 0x0
 00224   468   NtQueryVolumeInformationFile  (52, 1244988, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00225   468   NtClose  (12, ... ) == 0x0
 00226   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\SRI-user\LOCALS~1\Temp\"}, 3, 16417, ... 12, {status=0x0, info=1}, ) }, 3, 16417, ... 12, {status=0x0, info=1}, ) == 0x0
 00227   468   NtQueryDirectoryFile  (12, 0, 0, 0, 1243768, 616, BothDirectory, 1,  (12, 0, 0, 0, 1243768, 616, BothDirectory, 1, "VR<.TMP", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 00228   468   NtClose  (12, ... ) == 0x0
 00229   468   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00230   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 12, ) }, ... 12, ) == 0x0
 00231   468   NtQueryValueKey  (12,  (12, "Dummy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00232   468   NtClose  (12, ... ) == 0x0
 00233   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00234   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 12, ) == 0x0
 00235   468   NtQueryInformationToken  (12, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00236   468   NtClose  (12, ... ) == 0x0
 00237   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 12, ) }, ... 12, ) == 0x0
 00238   468   NtSetInformationObject  (12, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 00239   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 56, ) }, ... 56, ) == 0x0
 00240   468   NtQueryValueKey  (56,  (56, "Dummy", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00241   468   NtClose  (56, ... ) == 0x0
 00242   468   NtCreateKey  (0x2, {24, 32, 0x40, 0, 0,  (0x2, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"}, 0, "", 0, ... ) }, 0, "", 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00243   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "SYSTEM"}, 0, "", 0, ... 56, 2, ) }, 0, "", 0, ... 56, 2, ) == 0x0
 00244   468   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "CurrentControlSet"}, 0, "", 0, ... 60, 2, ) }, 0, "", 0, ... 60, 2, ) == 0x0
 00245   468   NtClose  (56, ... ) == 0x0
 00246   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Services"}, 0, "", 0, ... 56, 2, ) }, 0, "", 0, ... 56, 2, ) == 0x0
 00247   468   NtClose  (60, ... ) == 0x0
 00248   468   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "SharedAccess"}, 0, "", 0, ... 60, 2, ) }, 0, "", 0, ... 60, 2, ) == 0x0
 00249   468   NtClose  (56, ... ) == 0x0
 00250   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Parameters"}, 0, "", 0, ... 56, 2, ) }, 0, "", 0, ... 56, 2, ) == 0x0
 00251   468   NtClose  (60, ... ) == 0x0
 00252   468   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "FirewallPolicy"}, 0, "", 0, ... }, 0, "", 0, ...
 00253   468   NtSetInformationFile  (-2147482844, -136149980, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00252   468   NtCreateKey  ... 60, 1, ) == 0x0
 00254   468   NtClose  (56, ... ) == 0x0
 00255   468   NtCreateKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "StandardProfile"}, 0, "", 0, ... 56, 1, ) }, 0, "", 0, ... 56, 1, ) == 0x0
 00256   468   NtClose  (60, ... ) == 0x0
 00257   468   NtCreateKey  (0x2000000, {24, 56, 0x40, 0, 0,  (0x2000000, {24, 56, 0x40, 0, 0, "AuthorizedApplications"}, 0, "", 0, ... 60, 1, ) }, 0, "", 0, ... 60, 1, ) == 0x0
 00258   468   NtClose  (56, ... ) == 0x0
 00259   468   NtCreateKey  (0x2, {24, 60, 0x40, 0, 0,  (0x2, {24, 60, 0x40, 0, 0, "List"}, 0, "", 0, ... 56, 1, ) }, 0, "", 0, ... 56, 1, ) == 0x0
 00260   468   NtClose  (60, ... ) == 0x0
 00261   468   NtSetValueKey  (56,  (56, "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List", 0, 1, "S\0Y\0S\0T\0E\0M\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0S\0e\0r\0v\0i\0c\0e\0s\0\\0S\0h\0a\0r\0e\0d\0A\0c\0c\0e\0s\0s\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\\0F\0i\0r\0e\0w\0a\0l\0l\0P\0o\0l\0i\0c\0y\0\\0S\0t\0a\0n\0d\0a\0r\0d\0P\0r\0o\0f\0i\0l\0e\0\\0A\0u\0t\0h\0o\0r\0i\0z\0e\0d\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0s\0\\0L\0i\0s\0t\0:\0*\0:\0e\0n\0a\0b\0l\0e\0d\0:\0@\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\01\0\0\0", 286, ... ) , 0, 1,  (56, "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List", 0, 1, "S\0Y\0S\0T\0E\0M\0\\0C\0u\0r\0r\0e\0n\0t\0C\0o\0n\0t\0r\0o\0l\0S\0e\0t\0\\0S\0e\0r\0v\0i\0c\0e\0s\0\\0S\0h\0a\0r\0e\0d\0A\0c\0c\0e\0s\0s\0\\0P\0a\0r\0a\0m\0e\0t\0e\0r\0s\0\\0F\0i\0r\0e\0w\0a\0l\0l\0P\0o\0l\0i\0c\0y\0\\0S\0t\0a\0n\0d\0a\0r\0d\0P\0r\0o\0f\0i\0l\0e\0\\0A\0u\0t\0h\0o\0r\0i\0z\0e\0d\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0s\0\\0L\0i\0s\0t\0:\0*\0:\0e\0n\0a\0b\0l\0e\0d\0:\0@\0s\0h\0e\0l\0l\03\02\0.\0d\0l\0l\0,\0-\01\0\0\0", 286, ... ) , 286, ... ) == 0x0
 00262   468   NtClose  (56, ... ) == 0x0
 00263   468   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 56, ) }, ... 56, ) == 0x0
 00264   468   NtQueryValueKey  (56,  (56, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00265   468   NtClose  (56, ... ) == 0x0
 00266   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WININET.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00267   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76200000), 0x0, 618496, ) == 0x0
 00268   468   NtClose  (56, ... ) == 0x0
 00269   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "CRYPT32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00270   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762c0000), 0x0, 565248, ) == 0x0
 00271   468   NtClose  (56, ... ) == 0x0
 00272   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MSASN1.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00273   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x762a0000), 0x0, 61440, ) == 0x0
 00274   468   NtClose  (56, ... ) == 0x0
 00275   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLEAUT32.dll"}, ... 56, ) }, ... 56, ) == 0x0
 00276   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77120000), 0x0, 569344, ) == 0x0
 00277   468   NtClose  (56, ... ) == 0x0
 00278   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "OLE32.DLL"}, ... 56, ) }, ... 56, ) == 0x0
 00279   468   NtMapViewOfSection  (56, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x771b0000), 0x0, 1155072, ) == 0x0
 00280   468   NtClose  (56, ... ) == 0x0
 00281   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\crypt32\Performance"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00282   468   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00283   468   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00284   468   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00285   468   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 56, ) }, ... 56, ) == 0x0
 00286   468   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1243228, 0,  (0x1f0003, {24, 56, 0x80, 1243228, 0, "Global\crypt32LogoffEvent"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 00287   468   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\crypt32LogoffEvent"}, ... 60, ) }, ... 60, ) == 0x0
 00288   468   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00289   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00290   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00291   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Control\Session Manager"}, ... 64, ) }, ... 64, ) == 0x0
 00292   468   NtQueryValueKey  (64,  (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (64, "CriticalSectionTimeout", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\215'\0"}, 16, ) }, 16, ) == 0x0
 00293   468   NtClose  (64, ... ) == 0x0
 00294   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00296   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00297   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00298   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface"}, ... 64, ) }, ... 64, ) == 0x0
 00299   468   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00300   468   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00301   468   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableTypeLib", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00302   468   NtClose  (64, ... ) == 0x0
 00303   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046}"}, ... 64, ) }, ... 64, ) == 0x0
 00304   468   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAll", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00305   468   NtQueryValueKey  (64,  (64, "InterfaceHelperDisableAllForOle32", Full, 0, ... ) , Full, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00306   468   NtClose  (64, ... ) == 0x0
 00307   468   NtOpenEvent  (0x1f0003, {24, 56, 0x0, 0, 0,  (0x1f0003, {24, 56, 0x0, 0, 0, "HookSwitchHookEnabledEvent"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308   468   NtUserRegisterWindowMessage  ( ("{FB8F0821-0164-101B-84ED-08002B2EC713}", ... ) , ... ) == 0xc07b
 00309   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00310   468   NtOpenKey  (0x9, {24, 32, 0x40, 0, 0,  (0x9, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT\UserEra"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00311   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\OLEAUT"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00312   468   NtAllocateVirtualMemory  (-1, 1347584, 0, 8192, 4096, 4, ... 1347584, 8192, ) == 0x0
 00313   468   NtCreateKey  (0xf003f, {24, 12, 0x40, 0, 0,  (0xf003f, {24, 12, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History"}, 0, 0x0, 0, ... 64, 2, ) }, 0, 0x0, 0, ... 64, 2, ) == 0x0
 00314   468   NtQueryDefaultUILanguage  (1241464, ...
 00315   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00316   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00317   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00318   468   NtClose  (-2147482032, ... ) == 0x0
 00319   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00320   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00321   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00322   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00323   468   NtClose  (-2147482044, ... ) == 0x0
 00324   468   NtClose  (-2147482032, ... ) == 0x0
 00314   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00325   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00326   468   NtQueryInstallUILanguage  (2012047340, ... ) == 0x0
 00327   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00328   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 72, ) == 0x0
 00329   468   NtMapViewOfSection  (72, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x850000), 0x0, 593920, ) == 0x0
 00330   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00331   468   NtQueryDefaultUILanguage  (2013024600, ...
 00332   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00333   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00334   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00335   468   NtClose  (-2147482032, ... ) == 0x0
 00336   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00337   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00338   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00339   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00340   468   NtClose  (-2147482044, ... ) == 0x0
 00341   468   NtClose  (-2147482032, ... ) == 0x0
 00331   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00342   468   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00343   468   NtQueryInstallUILanguage  (2013024602, ... ) == 0x0
 00344   468   NtQueryDefaultLocale  (1, 1239500, ... ) == 0x0
 00345   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WININET.DLL.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00346   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1240356, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1240356, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\214\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0$\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1568, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\214\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0$\364\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 468, 1568, 0}  (24, {128, 156, new_msg, 0, 1240356, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\214\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0$\364\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1568, 0} " S\26\0\33\0\1\0\0\0\0\0\1\360\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1D\0\0\0\377\377\377\377\0\0\0\0P\275\214\0\0\0\0\0\312\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0$\364\22\0\0\0\0\0" )  ) == 0x0
 00347   468   NtClose  (68, ... ) == 0x0
 00348   468   NtClose  (72, ... ) == 0x0
 00349   468   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00350   468   NtUnmapViewOfSection  (-1, 0x12f424, ... ) == STATUS_NOT_MAPPED_VIEW
 00351   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00352   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00353   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00354   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00355   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238040, ... ) }, 1238040, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00356   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00357   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00358   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00359   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238632, ... ) }, 1238632, ... ) == 0x0
 00360   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 72, {status=0x0, info=1}, ) }, 3, 33, ... 72, {status=0x0, info=1}, ) == 0x0
 00361   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00362   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00363   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00364   468   NtClose  (68, ... ) == 0x0
 00365   468   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x900000), 0x0, 921600, ) == 0x0
 00366   468   NtClose  (76, ... ) == 0x0
 00367   468   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00368   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll"}, 5, 96, ... 76, {status=0x0, info=1}, ) }, 5, 96, ... 76, {status=0x0, info=1}, ) == 0x0
 00369   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 76, ... 68, ) == 0x0
 00370   468   NtQuerySection  (68, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00371   468   NtClose  (76, ... ) == 0x0
 00372   468   NtMapViewOfSection  (68, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71950000), 0x0, 933888, ) == 0x0
 00373   468   NtClose  (68, ... ) == 0x0
 00374   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00375   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00376   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00377   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00378   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00379   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00380   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00381   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00382   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00383   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00384   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00385   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00386   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00387   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00388   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00389   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00390   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00391   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00392   468   NtProtectVirtualMemory  (-1, (0x71951000), 1952, 4, ... (0x71951000), 4096, 32, ) == 0x0
 00393   468   NtProtectVirtualMemory  (-1, (0x71951000), 4096, 32, ... (0x71951000), 4096, 4, ) == 0x0
 00394   468   NtFlushInstructionCache  (-1, 1905594368, 1952, ... ) == 0x0
 00395   468   NtAddAtom  ( ("T\0h\0e\0m\0e\0P\0r\0o\0p\0S\0c\0r\0o\0l\0l\0B\0a\0r\0C\0t\0l\0", 42, 1239816, ... ) , 42, 1239816, ... ) == 0x0
 00396   468   NtQueryDefaultUILanguage  (1238532, ...
 00397   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00398   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00399   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00400   468   NtClose  (-2147482032, ... ) == 0x0
 00401   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00402   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00403   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00404   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00405   468   NtClose  (-2147482044, ... ) == 0x0
 00406   468   NtClose  (-2147482032, ... ) == 0x0
 00396   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00407   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00408   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237384, ... ) }, 1237384, ... ) == 0x0
 00409   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00410   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 68, ... 76, ) == 0x0
 00411   468   NtClose  (68, ... ) == 0x0
 00412   468   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x850000), 0x0, 4096, ) == 0x0
 00413   468   NtClose  (76, ... ) == 0x0
 00414   468   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00415   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1237024, ... ) }, 1237024, ... ) == 0x0
 00416   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1237724,  (0x80100080, {24, 0, 0x40, 0, 1237724, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) }, 0x0, 0, 5, 1, 96, 0, 0, ... 76, {status=0x0, info=1}, ) == 0x0
 00417   468   NtCreateSection  (0xf0005, 0x0, 0x0, 2, 134217728, 76, ... 68, ) == 0x0
 00418   468   NtClose  (76, ... ) == 0x0
 00419   468   NtMapViewOfSection  (68, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 4096, ) == 0x0
 00420   468   NtClose  (68, ... ) == 0x0
 00421   468   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00422   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Manifest"}, 1, 96, ... 68, {status=0x0, info=1}, ) }, 1, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00423   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 68, ... 76, ) == 0x0
 00424   468   NtMapViewOfSection  (76, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x850000), 0x0, 4096, ) == 0x0
 00425   468   NtQueryInformationFile  (68, 1237344, 56, NetworkOpen, ... {status=0x0, info=56}, ) == 0x0
 00426   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WindowsShell.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00427   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237424, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237424, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\260\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1569, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\260\350\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 468, 1569, 0}  (24, {128, 156, new_msg, 0, 1237424, 1, 96, 0} "\210\6\32\1\33\0\1\0\240\315Z\371\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\260\350\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1569, 0} "h\334\26\0\33\0\1\0\0\0\0\0\2209\307\1\1\0\0\0\0\0\11\4\1\1\3\0@\0D\0\250\6\32\1D\0\0\0L\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\355\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\26\0\30\0\354\6\32\1\0\0\0\0\0\0\0\0\260\350\22\0\0\0\0\0" )  ) == 0x0
 00428   468   NtClose  (68, ... ) == 0x0
 00429   468   NtClose  (76, ... ) == 0x0
 00430   468   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00431   468   NtUnmapViewOfSection  (-1, 0x12e8b0, ... ) == STATUS_NOT_MAPPED_VIEW
 00432   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00433   468   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00434   468   NtUserSystemParametersInfo  (104, 0, 1906151468, 0, ... ) == 0x1
 00435   468   NtUserGetDC  (0, ... ) == 0x1010054
 00436   468   NtUserCallOneParam  (16842836, 56, ... ) == 0x1
 00437   468   NtUserSystemParametersInfo  (38, 4, 1906153440, 0, ... ) == 0x1
 00438   468   NtUserSystemParametersInfo  (66, 12, 1239836, 0, ... ) == 0x1
 00439   468   NtOpenProcessToken  (-1, 0x8, ... 76, ) == 0x0
 00440   468   NtAccessCheck  (1345816, 76, 0x1, 1239240, 1239184, 56, 1239268, ... ) == STATUS_NO_IMPERSONATION_TOKEN
 00441   468   NtClose  (76, ... ) == 0x0
 00442   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 76, ) }, ... 76, ) == 0x0
 00443   468   NtQueryValueKey  (76,  (76, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00444   468   NtClose  (76, ... ) == 0x0
 00445   468   NtUserSystemParametersInfo  (41, 500, 1239336, 0, ... ) == 0x1
 00446   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 76, ) }, ... 76, ) == 0x0
 00447   468   NtQueryValueKey  (76,  (76, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00448   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"}, ... 68, ) }, ... 68, ) == 0x0
 00449   468   NtQueryValueKey  (68,  (68, "EnableBalloonTips", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00450   468   NtClose  (68, ... ) == 0x0
 00451   468   NtClose  (76, ... ) == 0x0
 00452   468   NtUserSystemParametersInfo  (102, 0, 1906153328, 0, ... ) == 0x1
 00453   468   NtUserSystemParametersInfo  (4130, 0, 1239860, 0, ... ) == 0x1
 00454   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\LanguagePack"}, ... 76, ) }, ... 76, ) == 0x0
 00455   468   NtEnumerateValueKey  (76, 0, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 00456   468   NtClose  (76, ... ) == 0x0
 00457   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00458   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc03b
 00459   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc03d
 00460   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00461   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc03f
 00462   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00463   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc041
 00464   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00465   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc043
 00466   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc045
 00467   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00468   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc047
 00469   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00470   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc049
 00471   468   NtUserGetClassInfo  (1905590272, 1239756, 1239708, 1239784, 0, ... ) == 0xc049
 00472   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00473   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc04b
 00474   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00475   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc04d
 00476   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00477   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc04f
 00478   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc051
 00479   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00480   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc053
 00481   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00482   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc055
 00483   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc057
 00484   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00485   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc059
 00486   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10013
 00487   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc05b
 00488   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00489   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc05d
 00490   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00491   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc05f
 00492   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00493   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc017
 00494   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00495   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc019
 00496   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10013
 00497   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc018
 00498   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00499   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc01a
 00500   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00501   468   NtUserRegisterClassExWOW  (1239592, 1239672, 1239656, 1239688, 0, 384, 0, ... ) == 0x810cc01c
 00502   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00503   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ... ) == 0x810cc01e
 00504   468   NtUserFindExistingCursorIcon  (1239140, 1239156, 1239724, ... ) == 0x10011
 00505   468   NtUserRegisterClassExWOW  (1239652, 1239732, 1239716, 1239748, 0, 384, 0, ... ) == 0x810cc01b
 00506   468   NtUserFindExistingCursorIcon  (1239136, 1239152, 1239720, ... ) == 0x10011
 00507   468   NtUserRegisterClassExWOW  (1239648, 1239728, 1239712, 1239744, 0, 384, 0, ... ) == 0x810cc068
 00508   468   NtUserFindExistingCursorIcon  (1239144, 1239160, 1239728, ... ) == 0x10011
 00509   468   NtUserRegisterClassExWOW  (1239596, 1239676, 1239660, 1239692, 0, 384, 0, ...
 00510   468   NtAllocateVirtualMemory  (-1, 5488640, 0, 4096, 4096, 32, ... 5488640, 4096, ) == 0x0
 00509   468   NtUserRegisterClassExWOW  ... ) == 0x810cc06a
 00511   468   NtCreateKey  (0x2001f, {24, 12, 0x40, 0, 0,  (0x2001f, {24, 12, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, 0, 0x0, 0, ... 76, 2, ) }, 0, 0x0, 0, ... 76, 2, ) == 0x0
 00512   468   NtQueryValueKey  (76,  (76, "FromCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00513   468   NtQueryValueKey  (76,  (76, "SecureProtocols", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00514   468   NtQueryValueKey  (76,  (76, "CertificateRevocation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00515   468   NtQueryValueKey  (76,  (76, "DisableKeepAlive", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00516   468   NtQueryValueKey  (76,  (76, "DisablePassport", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00517   468   NtQueryValueKey  (76,  (76, "CacheMode", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00518   468   NtQueryValueKey  (76,  (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableHttp1_1", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00519   468   NtQueryValueKey  (76,  (76, "ProxyHttp1.1", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00520   468   NtQueryValueKey  (76,  (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableNegotiate", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00521   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "Secur32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\Secur32.dll"}, 1242568, ... ) }, 1242568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00523   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "Secur32.dll"}, 1242568, ... ) }, 1242568, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00524   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 1242568, ... ) }, 1242568, ... ) == 0x0
 00525   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Secur32.dll"}, 5, 96, ... 68, {status=0x0, info=1}, ) }, 5, 96, ... 68, {status=0x0, info=1}, ) == 0x0
 00526   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 68, ... 80, ) == 0x0
 00527   468   NtQuerySection  (80, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00528   468   NtClose  (68, ... ) == 0x0
 00529   468   NtMapViewOfSection  (80, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f90000), 0x0, 65536, ) == 0x0
 00530   468   NtClose  (80, ... ) == 0x0
 00531   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 80, ) == 0x0
 00532   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 68, ) == 0x0
 00533   468   NtOpenEvent  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\SECURITY\LSA_AUTHENTICATION_INITIALIZED"}, ... 84, ) }, ... 84, ) == 0x0
 00534   468   NtQueryEvent  (84, Basic, 8, ... {EventType=0,SignalState=1,}, 0x0, ) == 0x0
 00535   468   NtClose  (84, ... ) == 0x0
 00536   468   NtConnectPort  ( ("\LsaAuthenticationPort", {12, 2, 1, 0}, 0x0, 0x0, 1244052, 140, ... 84, 0x0, 0x0, 256, 140, ) , {12, 2, 1, 0}, 0x0, 0x0, 1244052, 140, ... 84, 0x0, 0x0, 256, 140, ) == 0x0
 00537   468   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 464, 468, 1571, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 464, 468, 1571, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\220\36\24\0" ... {176, 200, reply, 0, 464, 468, 1571, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 00538   468   NtQueryValueKey  (76,  (76, "SyncMode5", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00539   468   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00540   468   NtQueryValueKey  (88,  (88, "FixupKey", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00541   468   NtClose  (88, ... ) == 0x0
 00542   468   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00543   468   NtQueryValueKey  (88,  (88, "SessionStartTimeDefaultDeltaSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00544   468   NtClose  (88, ... ) == 0x0
 00545   468   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 88, ) }, ... 88, ) == 0x0
 00546   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 92, ) }, ... 92, ) == 0x0
 00547   468   NtQueryValueKey  (92,  (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (92, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00548   468   NtClose  (92, ... ) == 0x0
 00549   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 92, ) }, ... 92, ) == 0x0
 00550   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 96, ) }, ... 96, ) == 0x0
 00551   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 100, ) }, ... 100, ) == 0x0
 00552   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 104, ) }, ... 104, ) == 0x0
 00553   468   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00554   468   NtQueryValueKey  (104,  (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "Signature", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0l\0i\0e\0n\0t\0 \0U\0r\0l\0C\0a\0c\0h\0e\0 \0M\0M\0F\0 \0V\0e\0r\0 \05\0.\02\0\0\0"}, 68, ) }, 68, ) == 0x0
 00555   468   NtClose  (104, ... ) == 0x0
 00556   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 104, ) }, ... 104, ) == 0x0
 00557   468   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00558   468   NtQueryValueKey  (104,  (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00559   468   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00560   468   NtQueryValueKey  (104,  (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00561   468   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00562   468   NtQueryValueKey  (104,  (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (104, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00563   468   NtClose  (104, ... ) == 0x0
 00564   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00565   468   NtQueryValueKey  (104,  (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00566   468   NtClose  (104, ... ) == 0x0
 00567   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Content"}, ... 104, ) }, ... 104, ) == 0x0
 00568   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "shell32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00569   468   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x773d0000), 0x0, 8339456, ) == 0x0
 00570   468   NtClose  (108, ... ) == 0x0
 00571   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 108, ) }, ... 108, ) == 0x0
 00572   468   NtQueryValueKey  (108,  (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (108, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00573   468   NtClose  (108, ... ) == 0x0
 00574   468   NtQueryDefaultUILanguage  (1239020, ...
 00575   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00576   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 00577   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00578   468   NtClose  (-2147482032, ... ) == 0x0
 00579   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 00580   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00581   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 00582   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00583   468   NtClose  (-2147482044, ... ) == 0x0
 00584   468   NtClose  (-2147482032, ... ) == 0x0
 00574   468   NtQueryDefaultUILanguage  ... ) == 0x0
 00585   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00586   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll"}, 1, 96, ... 108, {status=0x0, info=1}, ) }, 1, 96, ... 108, {status=0x0, info=1}, ) == 0x0
 00587   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 108, ... 112, ) == 0x0
 00588   468   NtMapViewOfSection  (112, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x900000), 0x0, 8323072, ) == 0x0
 00589   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00590   468   NtQueryDefaultLocale  (1, 1237056, ... ) == 0x0
 00591   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\shell32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00592   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1237912, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1237912, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\230\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1572, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\230\352\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 468, 1572, 0}  (24, {128, 156, new_msg, 0, 1237912, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\230\352\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1572, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\346\22\0\1\0\0\0\0\0\11\4\1\1\1\0>\0@\0\250\6\32\1l\0\0\0\377\377\377\377\0\0\0\0\20\311\307\0\0\0\0\0\236\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\230\352\22\0\0\0\0\0" )  ) == 0x0
 00593   468   NtClose  (108, ... ) == 0x0
 00594   468   NtClose  (112, ... ) == 0x0
 00595   468   NtUnmapViewOfSection  (-1, 0x900000, ... ) == 0x0
 00596   468   NtUnmapViewOfSection  (-1, 0x12ea98, ... ) == STATUS_NOT_MAPPED_VIEW
 00597   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00598   468   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00599   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00600   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00601   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00602   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236140, ... ) }, 1236140, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00603   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00604   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00605   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00606   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1236732, ... ) }, 1236732, ... ) == 0x0
 00607   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 112, {status=0x0, info=1}, ) }, 3, 33, ... 112, {status=0x0, info=1}, ) == 0x0
 00608   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 00609   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "comctl32.dll"}, ... 108, ) }, ... 108, ) == 0x0
 00610   468   NtMapViewOfSection  (108, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77340000), 0x0, 569344, ) == 0x0
 00611   468   NtClose  (108, ... ) == 0x0
 00612   468   NtOpenProcess  (0x400, {24, 0, 0x0, 0, 0, 0x0}, {464, 0}, ... 108, ) == 0x0
 00613   468   NtQueryInformationProcess  (108, Session, 4, ... {SessionId=0,}, 0x0, ) == 0x0
 00614   468   NtClose  (108, ... ) == 0x0
 00615   468   NtUserRegisterWindowMessage  ( ("ShellGetDragImage", ... ) , ... ) == 0xc03a
 00616   468   NtUserSystemParametersInfo  (104, 0, 2000318720, 0, ... ) == 0x1
 00617   468   NtUserSystemParametersInfo  (38, 4, 2000318708, 0, ... ) == 0x1
 00618   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Control Panel\Desktop"}, ... 108, ) }, ... 108, ) == 0x0
 00619   468   NtQueryValueKey  (108,  (108, "SmoothScroll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00620   468   NtClose  (108, ... ) == 0x0
 00621   468   NtUserSystemParametersInfo  (41, 500, 1238596, 0, ... ) == 0x1
 00622   468   NtUserSystemParametersInfo  (102, 0, 2000318732, 0, ... ) == 0x1
 00623   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00624   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00625   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc03b
 00626   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00627   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc03d
 00628   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00629   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00630   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc03f
 00631   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00632   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00633   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc041
 00634   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00635   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00636   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc043
 00637   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00638   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc045
 00639   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00640   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00641   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc047
 00642   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00643   468   NtUserFindExistingCursorIcon  (1238384, 1238400, 1238968, ... ) == 0x10011
 00644   468   NtUserRegisterClassExWOW  (1238836, 1238916, 1238900, 1238932, 0, 384, 0, ... ) == 0x810cc049
 00645   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00646   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00647   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc04b
 00648   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00649   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00650   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc04d
 00651   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00652   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00653   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc04f
 00654   468   NtUserGetClassInfo  (1999896576, 1239008, 1238960, 1239036, 0, ... ) == 0x0
 00655   468   NtUserRegisterClassExWOW  (1238844, 1238924, 1238908, 1238940, 0, 384, 0, ... ) == 0x810cc051
 00656   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00657   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00658   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc053
 00659   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00660   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00661   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc055
 00662   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc057
 00663   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00664   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00665   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc059
 00666   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00667   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10013
 00668   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc05b
 00669   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00670   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00671   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc05d
 00672   468   NtUserGetClassInfo  (1999896576, 1239004, 1238956, 1239032, 0, ... ) == 0x0
 00673   468   NtUserFindExistingCursorIcon  (1238388, 1238404, 1238972, ... ) == 0x10011
 00674   468   NtUserRegisterClassExWOW  (1238840, 1238920, 1238904, 1238936, 0, 384, 0, ... ) == 0x810cc05f
 00675   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc03b
 00676   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc03d
 00677   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc03f
 00678   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc041
 00679   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc043
 00680   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc045
 00681   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc047
 00682   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc049
 00683   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc04b
 00684   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc04d
 00685   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc04f
 00686   468   NtUserGetClassInfo  (1999896576, 1240760, 1240712, 1240788, 0, ... ) == 0xc051
 00687   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc053
 00688   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc055
 00689   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc059
 00690   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc05b
 00691   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc05d
 00692   468   NtUserGetClassInfo  (1999896576, 1240756, 1240708, 1240784, 0, ... ) == 0xc05f
 00693   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00694   468   NtCreateSemaphore  (0x1f0003, {24, 56, 0x80, 1356136, 0,  (0x1f0003, {24, 56, 0x80, 1356136, 0, "shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}"}, 0, 2147483647, ... 108, ) }, 0, 2147483647, ... 108, ) == STATUS_OBJECT_NAME_EXISTS
 00695   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00696   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00697   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00698   468   NtQueryValueKey  (116,  (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cache", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 120, ) }, 120, ) == 0x0
 00699   468   NtClose  (116, ... ) == 0x0
 00700   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1241280, ... ) }, 1241280, ... ) == 0x0
 00701   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00702   468   NtSetValueKey  (116,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 0, 1,  (116, "Cache", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0", 150, ... ) , 150, ... ) == 0x0
 00703   468   NtClose  (116, ... ) == 0x0
 00704   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1242612, ... ) }, 1242612, ... ) == 0x0
 00705   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 1242344, ... ) }, 1242344, ... ) == 0x0
 00706   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00707   468   NtSetInformationFile  (116, 1242320, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00708   468   NtClose  (116, ... ) == 0x0
 00709   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\desktop.ini"}, 1242344, ... ) }, 1242344, ... ) == 0x0
 00710   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00711   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00712   468   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\251~\1\0"}, 16, ) }, 16, ) == 0x0
 00713   468   NtOpenKey  (0xf, {24, 32, 0x40, 0, 0,  (0xf, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"}, ... 116, ) }, ... 116, ) == 0x0
 00714   468   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Paths"}, ... 120, ) }, ... 120, ) == 0x0
 00715   468   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path1"}, ... 124, ) }, ... 124, ) == 0x0
 00716   468   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path2"}, ... 128, ) }, ... 128, ) == 0x0
 00717   468   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path3"}, ... 132, ) }, ... 132, ) == 0x0
 00718   468   NtOpenKey  (0xf, {24, 120, 0x40, 0, 0,  (0xf, {24, 120, 0x40, 0, 0, "Path4"}, ... 136, ) }, ... 136, ) == 0x0
 00719   468   NtOpenKey  (0xf, {24, 116, 0x40, 0, 0,  (0xf, {24, 116, 0x40, 0, 0, "Special Paths"}, ... 140, ) }, ... 140, ) == 0x0
 00720   468   NtSetValueKey  (120,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 0, 1,  (120, "Directory", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\0\0", 174, ... ) , 174, ... ) == 0x0
 00721   468   NtSetValueKey  (120,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 0, 4,  (120, "Paths", 0, 4, "\4\0\0\0", 4, ... ) , 4, ... ) == 0x0
 00722   468   NtSetValueKey  (124,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 0, 1,  (124, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\01\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00723   468   NtSetValueKey  (128,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 0, 1,  (128, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\02\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00724   468   NtSetValueKey  (132,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 0, 1,  (132, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\03\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00725   468   NtSetValueKey  (136,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 0, 1,  (136, "CachePath", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\\0C\0o\0n\0t\0e\0n\0t\0.\0I\0E\05\0\\0C\0a\0c\0h\0e\04\0\0\0", 188, ... ) , 188, ... ) == 0x0
 00726   468   NtSetValueKey  (124,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (124, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00727   468   NtSetValueKey  (128,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (128, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00728   468   NtSetValueKey  (132,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (132, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00729   468   NtSetValueKey  (136,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 0, 4,  (136, "CacheLimit", 0, 4, "\252_\0\0", 4, ... ) , 4, ... ) == 0x0
 00730   468   NtClose  (136, ... ) == 0x0
 00731   468   NtClose  (132, ... ) == 0x0
 00732   468   NtClose  (128, ... ) == 0x0
 00733   468   NtClose  (124, ... ) == 0x0
 00734   468   NtClose  (120, ... ) == 0x0
 00735   468   NtClose  (140, ... ) == 0x0
 00736   468   NtClose  (116, ... ) == 0x0
 00737   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 116, ) }, ... 116, ) == 0x0
 00738   468   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00739   468   NtClose  (116, ... ) == 0x0
 00740   468   NtClose  (104, ... ) == 0x0
 00741   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "Cookies"}, ... 104, ) }, ... 104, ) == 0x0
 00742   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00743   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00744   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00745   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00746   468   NtQueryValueKey  (116,  (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "Cookies", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0"}, 56, ) }, 56, ) == 0x0
 00747   468   NtClose  (116, ... ) == 0x0
 00748   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1241280, ... ) }, 1241280, ... ) == 0x0
 00749   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00750   468   NtSetValueKey  (116,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 0, 1,  (116, "Cookies", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0C\0o\0o\0k\0i\0e\0s\0\0\0", 86, ... ) , 86, ... ) == 0x0
 00751   468   NtClose  (116, ... ) == 0x0
 00752   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies"}, 1242612, ... ) }, 1242612, ... ) == 0x0
 00753   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00754   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0o\0o\0k\0i\0e\0:\0\0\0"}, 28, ) }, 28, ) == 0x0
 00755   468   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00756   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 116, ) }, ... 116, ) == 0x0
 00757   468   NtQueryValueKey  (116,  (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (116, "PerUserItem", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00758   468   NtClose  (116, ... ) == 0x0
 00759   468   NtClose  (104, ... ) == 0x0
 00760   468   NtOpenKey  (0xf, {24, 96, 0x40, 0, 0,  (0xf, {24, 96, 0x40, 0, 0, "History"}, ... 104, ) }, ... 104, ) == 0x0
 00761   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 00762   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 00763   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 00764   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00765   468   NtQueryValueKey  (116,  (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (116, "History", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0"}, 86, ) }, 86, ) == 0x0
 00766   468   NtClose  (116, ... ) == 0x0
 00767   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1241280, ... ) }, 1241280, ... ) == 0x0
 00768   468   NtCreateKey  (0x2000000, {24, 12, 0x40, 0, 0,  (0x2000000, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 116, 2, ) }, 0, 0x0, 0, ... 116, 2, ) == 0x0
 00769   468   NtSetValueKey  (116,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 0, 1,  (116, "History", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\0\0", 116, ... ) , 116, ... ) == 0x0
 00770   468   NtClose  (116, ... ) == 0x0
 00771   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1242612, ... ) }, 1242612, ... ) == 0x0
 00772   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 1242344, ... ) }, 1242344, ... ) == 0x0
 00773   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00774   468   NtSetInformationFile  (116, 1242320, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00775   468   NtClose  (116, ... ) == 0x0
 00776   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\desktop.ini"}, 1242344, ... ) }, 1242344, ... ) == 0x0
 00777   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00778   468   NtQueryValueKey  (104,  (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (104, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data="V\0i\0s\0i\0t\0e\0d\0:\0\0\0"}, 30, ) }, 30, ) == 0x0
 00779   468   NtQueryValueKey  (104,  (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (104, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00780   468   NtClose  (104, ... ) == 0x0
 00781   468   NtClose  (100, ... ) == 0x0
 00782   468   NtClose  (92, ... ) == 0x0
 00783   468   NtClose  (96, ... ) == 0x0
 00784   468   NtClose  (88, ... ) == 0x0
 00785   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "_!MSFTHISTORY!_"}, ... 88, ) }, ... 88, ) == 0x0
 00786   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!temporary internet files!content.ie5!"}, ... 96, ) }, ... 96, ) == 0x0
 00787   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00788   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00789   468   NtQueryVolumeInformationFile  (92, 1243864, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00790   468   NtClose  (92, ... ) == 0x0
 00791   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 92, {status=0x0, info=1}, ) }, 3, 8388641, ... 92, {status=0x0, info=1}, ) == 0x0
 00792   468   NtQueryVolumeInformationFile  (92, 1243888, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00793   468   NtClose  (92, ... ) == 0x0
 00794   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1244216, ... ) }, 1244216, ... ) == 0x0
 00795   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 92, {status=0x0, info=1}, ) }, 7, 2113568, ... 92, {status=0x0, info=1}, ) == 0x0
 00796   468   NtSetInformationFile  (92, 1244192, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00797   468   NtClose  (92, ... ) == 0x0
 00798   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244208,  (0xc0100080, {24, 0, 0x40, 1356136, 1244208, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00799   468   NtSetInformationFile  (92, 1244260, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00800   468   NtQueryInformationFile  (92, 1244260, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00801   468   NtClose  (92, ... ) == 0x0
 00802   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244192,  (0xc0100080, {24, 0, 0x40, 1356136, 1244192, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 92, {status=0x0, info=1}, ) == 0x0
 00803   468   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768"}, ... 100, ) }, ... 100, ) == 0x0
 00804   468   NtMapViewOfSection  (100, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x870000), {0, 0}, 32768, ) == 0x0
 00805   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00806   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!cookies!"}, ... 104, ) }, ... 104, ) == 0x0
 00807   468   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 00808   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00809   468   NtQueryVolumeInformationFile  (116, 1243864, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00810   468   NtClose  (116, ... ) == 0x0
 00811   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 116, {status=0x0, info=1}, ) }, 3, 8388641, ... 116, {status=0x0, info=1}, ) == 0x0
 00812   468   NtQueryVolumeInformationFile  (116, 1243888, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00813   468   NtClose  (116, ... ) == 0x0
 00814   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 1244216, ... ) }, 1244216, ... ) == 0x0
 00815   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Cookies\"}, 7, 2113568, ... 116, {status=0x0, info=1}, ) }, 7, 2113568, ... 116, {status=0x0, info=1}, ) == 0x0
 00816   468   NtSetInformationFile  (116, 1244192, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00817   468   NtClose  (116, ... ) == 0x0
 00818   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244208,  (0xc0100080, {24, 0, 0x40, 1356136, 1244208, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00819   468   NtSetInformationFile  (116, 1244260, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00820   468   NtQueryInformationFile  (116, 1244260, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00821   468   NtClose  (116, ... ) == 0x0
 00822   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244192,  (0xc0100080, {24, 0, 0x40, 1356136, 1244192, "\??\C:\Documents and Settings\SRI-user\Cookies\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 116, {status=0x0, info=1}, ) == 0x0
 00823   468   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Cookies_index.dat_16384"}, ... 140, ) }, ... 140, ) == 0x0
 00824   468   NtMapViewOfSection  (140, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x880000), {0, 0}, 16384, ) == 0x0
 00825   468   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 00826   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "c:!documents and settings!sri-user!local settings!history!history.ie5!"}, ... 120, ) }, ... 120, ) == 0x0
 00827   468   NtWaitForSingleObject  (120, 0, 0x0, ... ) == 0x0
 00828   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00829   468   NtQueryVolumeInformationFile  (124, 1243864, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00830   468   NtClose  (124, ... ) == 0x0
 00831   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 8388641, ... 124, {status=0x0, info=1}, ) }, 3, 8388641, ... 124, {status=0x0, info=1}, ) == 0x0
 00832   468   NtQueryVolumeInformationFile  (124, 1243888, 24, Size, ... {status=0x0, info=24}, ) == 0x0
 00833   468   NtClose  (124, ... ) == 0x0
 00834   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1244216, ... ) }, 1244216, ... ) == 0x0
 00835   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 124, {status=0x0, info=1}, ) }, 7, 2113568, ... 124, {status=0x0, info=1}, ) == 0x0
 00836   468   NtSetInformationFile  (124, 1244192, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00837   468   NtClose  (124, ... ) == 0x0
 00838   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244208,  (0xc0100080, {24, 0, 0x40, 1356136, 1244208, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00839   468   NtSetInformationFile  (124, 1244260, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00840   468   NtQueryInformationFile  (124, 1244260, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00841   468   NtClose  (124, ... ) == 0x0
 00842   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 1356136, 1244192,  (0xc0100080, {24, 0, 0x40, 1356136, 1244192, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\index.dat"}, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) }, 0x0, 0, 3, 3, 2144, 0, 0, ... 124, {status=0x0, info=1}, ) == 0x0
 00843   468   NtOpenSection  (0x2, {24, 56, 0x0, 0, 0,  (0x2, {24, 56, 0x0, 0, 0, "C:_Documents and Settings_SRI-user_Local Settings_History_History.IE5_index.dat_32768"}, ... 128, ) }, ... 128, ) == 0x0
 00844   468   NtMapViewOfSection  (128, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x890000), {0, 0}, 32768, ) == 0x0
 00845   468   NtReleaseMutant  (120, ... 0x0, ) == 0x0
 00846   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 1244272, ... ) }, 1244272, ... ) == 0x0
 00847   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00848   468   NtSetInformationFile  (132, 1244248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00849   468   NtClose  (132, ... ) == 0x0
 00850   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"}, 1244272, ... ) }, 1244272, ... ) == 0x0
 00851   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 1244272, ... ) }, 1244272, ... ) == 0x0
 00852   468   NtOpenFile  (0x100100, {24, 0, 0x40, 0, 0,  (0x100100, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\"}, 7, 2113568, ... 132, {status=0x0, info=1}, ) }, 7, 2113568, ... 132, {status=0x0, info=1}, ) == 0x0
 00853   468   NtSetInformationFile  (132, 1244248, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00854   468   NtClose  (132, ... ) == 0x0
 00855   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\History\History.IE5\desktop.ini"}, 1244272, ... ) }, 1244272, ... ) == 0x0
 00856   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00857   468   NtQueryInformationFile  (92, 1242656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00858   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00859   468   NtOpenKey  (0xf, {24, 12, 0x40, 0, 0,  (0xf, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 132, ) }, ... 132, ) == 0x0
 00860   468   NtOpenKey  (0xf, {24, 132, 0x40, 0, 0,  (0xf, {24, 132, 0x40, 0, 0, "Extensible Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00861   468   NtClose  (132, ... ) == 0x0
 00862   468   NtWaitForSingleObject  (88, 0, {-600000000, -1}, ... ) == 0x0
 00863   468   NtEnumerateKey  (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name= (136, 0, Basic, 288, ... {LastWrite={0x89210de2,0x1c79d95}, TitleIdx=0, Name="MSHist012007051420070521"}, 64, ) }, 64, ) == 0x0
 00864   468   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007051420070521"}, ... 132, ) }, ... 132, ) == 0x0
 00865   468   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00866   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00867   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00868   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00869   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00870   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00871   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\01\04\02\00\00\07\00\05\02\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00872   468   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00873   468   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00874   468   NtClose  (132, ... ) == 0x0
 00875   468   NtEnumerateKey  (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name= (136, 1, Basic, 288, ... {LastWrite={0xfe4bb184,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007052120070528"}, 64, ) }, 64, ) == 0x0
 00876   468   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007052120070528"}, ... 132, ) }, ... 132, ) == 0x0
 00877   468   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00878   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00879   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00880   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00881   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00882   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00883   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\02\01\02\00\00\07\00\05\02\08\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00884   468   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00885   468   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00886   468   NtClose  (132, ... ) == 0x0
 00887   468   NtEnumerateKey  (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name= (136, 2, Basic, 288, ... {LastWrite={0xfe4e13de,0x1c7a3a9}, TitleIdx=0, Name="MSHist012007053120070601"}, 64, ) }, 64, ) == 0x0
 00888   468   NtOpenKey  (0xf, {24, 136, 0x40, 0, 0,  (0xf, {24, 136, 0x40, 0, 0, "MSHist012007053120070601"}, ... 132, ) }, ... 132, ) == 0x0
 00889   468   NtQueryValueKey  (132,  (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheRepair", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00890   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00891   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00892   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00893   468   NtQueryValueKey  (132,  (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) , Partial, 162, ... TitleIdx=0, Type=2, Data= (132, "CachePath", Partial, 162, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0H\0i\0s\0t\0o\0r\0y\0\\0H\0i\0s\0t\0o\0r\0y\0.\0I\0E\05\0\\0M\0S\0H\0i\0s\0t\00\01\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0\\0\0\0"}, 162, ) }, 162, ) == 0x0
 00894   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00895   468   NtQueryValueKey  (132,  (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (132, "CachePrefix", Partial, 144, ... TitleIdx=0, Type=1, Data=":\02\00\00\07\00\05\03\01\02\00\00\07\00\06\00\01\0:\0 \0\0\0"}, 52, ) }, 52, ) == 0x0
 00896   468   NtQueryValueKey  (132,  (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheLimit", Partial, 144, ... TitleIdx=0, Type=4, Data="\0 \0\0"}, 16, ) }, 16, ) == 0x0
 00897   468   NtQueryValueKey  (132,  (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (132, "CacheOptions", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00898   468   NtClose  (132, ... ) == 0x0
 00899   468   NtEnumerateKey  (136, 3, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 00900   468   NtReleaseMutant  (88, ... 0x0, ) == 0x0
 00901   468   NtClose  (136, ... ) == 0x0
 00902   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00903   468   NtQueryInformationFile  (92, 1244584, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00904   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00905   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00906   468   NtQueryInformationFile  (92, 1244656, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00907   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00908   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00910   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00911   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00912   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00913   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00914   468   NtQueryValueKey  (136,  (136, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00915   468   NtClose  (136, ... ) == 0x0
 00916   468   NtQueryValueKey  (76,  (76, "DisableWorkerThreadHibernation", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00917   468   NtQueryValueKey  (76,  (76, "DisableReadRange", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918   468   NtQueryValueKey  (76,  (76, "SocketSendBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919   468   NtQueryValueKey  (76,  (76, "SocketReceiveBufferLength", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920   468   NtQueryValueKey  (76,  (76, "KeepAliveTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921   468   NtQueryValueKey  (76,  (76, "MaxHttpRedirects", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922   468   NtQueryValueKey  (76,  (76, "MaxConnectionsPerServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00923   468   NtQueryValueKey  (76,  (76, "MaxConnectionsPer1_0Server", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00924   468   NtQueryValueKey  (76,  (76, "ServerInfoTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00925   468   NtQueryValueKey  (76,  (76, "ReceiveTimeOut", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00926   468   NtQueryValueKey  (76,  (76, "DisableNTLMPreAuth", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00927   468   NtQueryValueKey  (76,  (76, "ScavengeCacheLowerBound", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache"}, ... 136, ) }, ... 136, ) == 0x0
 00929   468   NtQueryValueKey  (136,  (136, "ScavengeCacheFileLifeTime", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930   468   NtClose  (136, ... ) == 0x0
 00931   468   NtQueryValueKey  (76,  (76, "HttpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932   468   NtQueryValueKey  (76,  (76, "FtpDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933   468   NtQueryValueKey  (76,  (76, "GopherDefaultExpiryTimeSecs", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934   468   NtQueryValueKey  (76,  (76, "DisableCachingOfSSLPages", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00935   468   NtQueryValueKey  (76,  (76, "PerUserCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00936   468   NtQueryValueKey  (76,  (76, "LeashLegacyCookies", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00937   468   NtQueryValueKey  (76,  (76, "DisableNT4RasCheck", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00938   468   NtQueryValueKey  (76,  (76, "DialupUseLanSettings", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00939   468   NtQueryValueKey  (76,  (76, "SendExtraCRLF", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00940   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 136, ) }, ... 136, ) == 0x0
 00941   468   NtQueryValueKey  (136,  (136, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942   468   NtClose  (136, ... ) == 0x0
 00943   468   NtQueryValueKey  (76,  (76, "DontUseDNSLoadBalancing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944   468   NtQueryValueKey  (76,  (76, "NonBlockingClient32", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945   468   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00946   468   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00947   468   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00948   468   NtQueryValueKey  (76,  (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "MimeExclusionListForCache", Partial, 144, ... TitleIdx=0, Type=1, Data="m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0m\0i\0x\0e\0d\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0m\0i\0x\0e\0d\0-\0r\0e\0p\0l\0a\0c\0e\0 \0m\0u\0l\0t\0i\0p\0a\0r\0t\0/\0x\0-\0b\0y\0t\0e\0r\0a\0n\0g\0e\0s\0 \0\0\0"}, 144, ) }, 144, ) == 0x0
 00949   468   NtAllocateVirtualMemory  (-1, 1359872, 0, 4096, 4096, 4, ... 1359872, 4096, ) == 0x0
 00950   468   NtQueryValueKey  (76,  (76, "HeaderExclusionListForCache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00951   468   NtQueryValueKey  (76,  (76, "DnsCacheEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00952   468   NtQueryValueKey  (76,  (76, "DnsCacheEntries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953   468   NtQueryValueKey  (76,  (76, "DnsCacheTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00954   468   NtQueryValueKey  (76,  (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "WarnOnPost", Partial, 144, ... TitleIdx=0, Type=3, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00955   468   NtQueryValueKey  (76,  (76, "WarnAlwaysOnPost", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00956   468   NtQueryValueKey  (76,  (76, "WarnOnZoneCrossing", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00957   468   NtQueryValueKey  (76,  (76, "WarnOnBadCertSending", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00958   468   NtQueryValueKey  (76,  (76, "WarnOnBadCertRecving", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00959   468   NtQueryValueKey  (76,  (76, "WarnOnPostRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00960   468   NtQueryValueKey  (76,  (76, "AlwaysDrainOnRedirect", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00961   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetStartupMutex"}, ... 136, ) }, ... 136, ) == 0x0
 00962   468   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 132, ) == 0x0
 00963   468   NtQueryValueKey  (76,  (76, "GlobalUserOffline", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00964   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 00965   468   NtQueryInformationFile  (92, 1244632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00966   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 00967   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetConnectionMutex"}, ... 144, ) }, ... 144, ) == 0x0
 00968   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 148, ) == 0x0
 00969   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "WininetProxyRegistryMutex"}, ... 152, ) }, ... 152, ) == 0x0
 00970   468   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00971   468   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00972   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... 156, ) }, ... 156, ) == 0x0
 00973   468   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00974   468   NtQueryValueKey  (156,  (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (156, "UrlEncoding", Partial, 144, ... TitleIdx=0, Type=1, Data="0\0x\00\00\00\00\00\00\00\00\0\0\0"}, 34, ) }, 34, ) == 0x0
 00975   468   NtClose  (156, ... ) == 0x0
 00976   468   NtCreateEvent  (0x1f0003, 0x0, 1, 1, ... 156, ) == 0x0
 00977   468   NtWaitForSingleObject  (156, 0, 0x0, ... ) == 0x0
 00978   468   NtClearEvent  (156, ... ) == 0x0
 00979   468   NtSetEvent  (156, ... 0x0, ) == 0x0
 00980   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 160, ) }, ... 160, ) == 0x0
 00981   468   NtQueryValueKey  (160,  (160, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00982   468   NtQueryValueKey  (160,  (160, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (160, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00983   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 164, ) == 0x0
 00984   468   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "Protocol_Catalog9"}, ... 168, ) }, ... 168, ) == 0x0
 00985   468   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00986   468   NtNotifyChangeKey  (168, 164, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 00987   468   NtQueryValueKey  (168,  (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\31\0\0\0"}, 16, ) }, 16, ) == 0x0
 00988   468   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "00000019"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00989   468   NtQueryValueKey  (168,  (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="\376\3\0\0"}, 16, ) }, 16, ) == 0x0
 00990   468   NtQueryValueKey  (168,  (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (168, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\13\0\0\0"}, 16, ) }, 16, ) == 0x0
 00991   468   NtOpenKey  (0x2000000, {24, 168, 0x40, 0, 0,  (0x2000000, {24, 168, 0x40, 0, 0, "Catalog_Entries"}, ... 172, ) }, ... 172, ) == 0x0
 00992   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000001"}, ... 176, ) }, ... 176, ) == 0x0
 00993   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00994   468   NtAllocateVirtualMemory  (-1, 1363968, 0, 4096, 4096, 4, ... 1363968, 4096, ) == 0x0
 00995   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00996   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\345\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0\346\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\347\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\350\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00997   468   NtClose  (176, ... ) == 0x0
 00998   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000002"}, ... 176, ) }, ... 176, ) == 0x0
 00999   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01000   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01001   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\352\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0\353\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\354\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\355\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01002   468   NtClose  (176, ... ) == 0x0
 01003   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000003"}, ... 176, ) }, ... 176, ) == 0x0
 01004   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01005   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01006   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\357\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0\360\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\361\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\362\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01007   468   NtClose  (176, ... ) == 0x0
 01008   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000004"}, ... 176, ) }, ... 176, ) == 0x0
 01009   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01010   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01011   468   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ... 1368064, 4096, ) == 0x0
 01012   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\310\371\252\1\26\0\30\0\10<_u\0\0\0\0|\370\252\1\27\207`u\0\0\0\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\30\371\252\1\17.\365w\13\30\365w\1\0\0\0\0\374\252\1\4\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\17.\365w\0\0\0\0\250\371\252\1 \22\365wO\22\365wT\22\365w\0\0\0\0\204\3\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\365\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0\366\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\367\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\370\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01013   468   NtClose  (176, ... ) == 0x0
 01014   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000005"}, ... 176, ) }, ... 176, ) == 0x0
 01015   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01016   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01017   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\17.\365w\13\30\365w\0\0\0\0\4+Y\1\2\0\0\0\1\0\0\0\17.\365w\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\0\0\0\0\362_du\3`du\240\1\10\0\250\5N\1 \0\0\0\0\0\0\0\240\1\10\0\310\5N\1H\344\301\0\0\0\0\0\0\0\0\0\0\0\245\0\0\0\10\0@\5N\1\0\0\0\0\204\3\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\372\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0\373\3\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\374\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\375\3\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01018   468   NtClose  (176, ... ) == 0x0
 01019   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000006"}, ... 176, ) }, ... 176, ) == 0x0
 01020   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01021   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01022   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\356\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\377\3\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0\0\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\1\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\2\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01023   468   NtClose  (176, ... ) == 0x0
 01024   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000007"}, ... 176, ) }, ... 176, ) == 0x0
 01025   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01026   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01027   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\357\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\04\0F\0E\05\07\0D\07\0B\0-\00\03\0A\05\0-\04\08\0B\02\0-\08\0\0\0\0\0\204\3\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\4\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0\5\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\6\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\7\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01028   468   NtClose  (176, ... ) == 0x0
 01029   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000008"}, ... 176, ) }, ... 176, ) == 0x0
 01030   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01031   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01032   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\360\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\11\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0\12\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\13\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\14\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01033   468   NtClose  (176, ... ) == 0x0
 01034   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000009"}, ... 176, ) }, ... 176, ) == 0x0
 01035   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01036   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01037   468   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01038   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\361\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0B\0E\07\0E\00\06\0F\0-\06\02\00\0F\0-\04\0E\0A\0A\0-\0A\0\0\0\0\0\204\3\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\17\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0\20\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\21\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\22\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01039   468   NtClose  (176, ... ) == 0x0
 01040   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000010"}, ... 176, ) }, ... 176, ) == 0x0
 01041   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01042   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01043   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0 (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\362\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\24\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0\254\0\0\0\224\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\00\314\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\25\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\260\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\26\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\27\4\0\0\320\1\0\0\324\1\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0\260\0\0\0\0\0\0\0"\0\12\2\0\354\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 01044   468   NtClose  (176, ... ) == 0x0
 01045   468   NtOpenKey  (0x20019, {24, 172, 0x40, 0, 0,  (0x20019, {24, 172, 0x40, 0, 0, "000000000011"}, ... 176, ) }, ... 176, ) == 0x0
 01046   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01047   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 01048   468   NtQueryValueKey  (176,  (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\31\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\31\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\32\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\4\0\0\320\1\0\0\324\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\33\4\0\0\320\1\0\0\324\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\34\4\0\0\320\1\0\0\324\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\34\4\0\0\320\1\0\0\324\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0\35\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\240\0\0\0\260\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\0\314\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (176, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0gram\FSLSP.DLL\0\00\0\0\0\10\0\2\0\10\0\4\1\10\0h\220\354\28\220\354\2\2\0\12\0\4\1\12\00\00\0\0\0\10\0\2\0\14\0\4\1\10\0\210\220\354\2X\220\354\2\2\0\16\0\4\1\12\00\00\0\0\0\10\0\2\0\20\0\4\1\10\0\250\220\354\2x\220\354\2\2\0\22\0\4\1\12\00\00\0\0\0\10\0\2\0\24\0\4\1\10\0\310\220\354\2\230\220\354\2\2\0\26\0\4\1\12\00\00\0\0\0\10\0\2\0\30\0\4\1\10\0\0\0\0\0\270\220\354\2\2\0\32\0\4\1\10\0H\0K\0R\0\0\0\3\0\34\0\4\1\10\0\360\222\354\2\0\0\0\0\0\221\354\2\16\0\0\0<\0\37\0\4\0\10\0X\3\10\0X\3\10\0\4\0\2\0\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\363\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0D\01\09\0D\0F\08\08\02\0-\0A\09\0C\0B\0-\04\01\04\04\0-\08\0\0\0\0\0\204\3\0\0\31\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\260\0\0\0\31\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\32\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0\254\0\0\0\32\4\0\0\320\1\0\0\324\1\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\33\4\0\0\320\1\0\0\324\1\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\244\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\33\4\0\0\320\1\0\0\324\1\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\34\4\0\0\320\1\0\0\324\1\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\34\4\0\0\320\1\0\0\324\1\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0\254\0\0\0\35\4\0\0\320\1\0\0\324\1\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\0\240\0\0\0\260\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\0\314\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) }, 900, ) == 0x0
 01049   468   NtClose  (176, ... ) == 0x0
 01050   468   NtClose  (172, ... ) == 0x0
 01051   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 01052   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 172, ) == 0x0
 01053   468   NtOpenKey  (0x2000000, {24, 160, 0x40, 0, 0,  (0x2000000, {24, 160, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 176, ) }, ... 176, ) == 0x0
 01054   468   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01055   468   NtNotifyChangeKey  (176, 172, 0, 0, 2011390432, 1, 0, 0, 0, 1, ... ) == 0x103
 01056   468   NtQueryValueKey  (176,  (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 01057   468   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "00000004"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01058   468   NtQueryValueKey  (176,  (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (176, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 01059   468   NtOpenKey  (0x2000000, {24, 176, 0x40, 0, 0,  (0x2000000, {24, 176, 0x40, 0, 0, "Catalog_Entries"}, ... 180, ) }, ... 180, ) == 0x0
 01060   468   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000001"}, ... 184, ) }, ... 184, ) == 0x0
 01061   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01062   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01063   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01064   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01065   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01066   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 01067   468   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 01068   468   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01069   468   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 01070   468   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01071   468   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01072   468   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01073   468   NtClose  (184, ... ) == 0x0
 01074   468   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000002"}, ... 184, ) }, ... 184, ) == 0x0
 01075   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01076   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 01077   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01078   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01079   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01080   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 01081   468   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 01082   468   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01083   468   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 01084   468   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01085   468   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01086   468   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01087   468   NtClose  (184, ... ) == 0x0
 01088   468   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ... 1376256, 4096, ) == 0x0
 01089   468   NtOpenKey  (0x20019, {24, 180, 0x40, 0, 0,  (0x20019, {24, 180, 0x40, 0, 0, "000000000003"}, ... 184, ) }, ... 184, ) == 0x0
 01090   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01091   468   NtQueryValueKey  (184,  (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 01092   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01093   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01094   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01095   468   NtQueryValueKey  (184,  (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (184, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 01096   468   NtQueryValueKey  (184,  (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (184, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 01097   468   NtQueryValueKey  (184,  (184, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01098   468   NtQueryValueKey  (184,  (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 01099   468   NtQueryValueKey  (184,  (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01100   468   NtQueryValueKey  (184,  (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01101   468   NtQueryValueKey  (184,  (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (184, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01102   468   NtClose  (184, ... ) == 0x0
 01103   468   NtClose  (180, ... ) == 0x0
 01104   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 01105   468   NtClose  (160, ... ) == 0x0
 01106   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01107   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01108   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 160, ) }, ... 160, ) == 0x0
 01109   468   NtQueryValueKey  (160,  (160, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01110   468   NtClose  (160, ... ) == 0x0
 01111   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 160, ) == 0x0
 01112   468   NtClearEvent  (132, ... ) == 0x0
 01113   468   NtSetEvent  (132, ... 0x0, ) == 0x0
 01114   468   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ... 1380352, 4096, ) == 0x0
 01115   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 01116   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1241212, ... ) }, 1241212, ... ) == 0x0
 01117   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 180, {status=0x0, info=1}, ) }, 5, 96, ... 180, {status=0x0, info=1}, ) == 0x0
 01118   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 180, ... 184, ) == 0x0
 01119   468   NtClose  (180, ... ) == 0x0
 01120   468   NtMapViewOfSection  (184, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 229376, ) == 0x0
 01121   468   NtClose  (184, ... ) == 0x0
 01122   468   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 01123   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1241528, ... ) }, 1241528, ... ) == 0x0
 01124   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01125   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 180, ) == 0x0
 01126   468   NtQuerySection  (180, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01127   468   NtClose  (184, ... ) == 0x0
 01128   468   NtMapViewOfSection  (180, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 241664, ) == 0x0
 01129   468   NtClose  (180, ... ) == 0x0
 01130   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01131   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01132   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 180, ) == 0x0
 01133   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01134   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01135   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "DNSAPI.dll"}, 1241328, ... ) }, 1241328, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01136   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 1241328, ... ) }, 1241328, ... ) == 0x0
 01137   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DNSAPI.dll"}, 5, 96, ... 184, {status=0x0, info=1}, ) }, 5, 96, ... 184, {status=0x0, info=1}, ) == 0x0
 01138   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 184, ... 188, ) == 0x0
 01139   468   NtQuerySection  (188, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01140   468   NtClose  (184, ... ) == 0x0
 01141   468   NtMapViewOfSection  (188, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f20000), 0x0, 151552, ) == 0x0
 01142   468   NtClose  (188, ... ) == 0x0
 01143   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 188, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 188, 2, ) , 0, ... 188, 2, ) == 0x0
 01144   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01145   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01146   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DNS"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01147   468   NtQueryValueKey  (184,  (184, "QueryAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01148   468   NtQueryValueKey  (188,  (188, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01149   468   NtQueryValueKey  (184,  (184, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01150   468   NtQueryValueKey  (188,  (188, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (188, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01151   468   NtQueryValueKey  (184,  (184, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01152   468   NtQueryValueKey  (188,  (188, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01153   468   NtQueryValueKey  (184,  (184, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01154   468   NtQueryValueKey  (188,  (188, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01155   468   NtQueryValueKey  (184,  (184, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01156   468   NtQueryValueKey  (184,  (184, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01157   468   NtQueryValueKey  (184,  (184, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01158   468   NtQueryValueKey  (184,  (184, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01159   468   NtQueryValueKey  (184,  (184, "WaitForNameErrorOnAll", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01160   468   NtQueryValueKey  (184,  (184, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01161   468   NtQueryValueKey  (184,  (184, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01162   468   NtQueryValueKey  (188,  (188, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01163   468   NtQueryValueKey  (184,  (184, "RegisterPrimaryName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01164   468   NtQueryValueKey  (184,  (184, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01165   468   NtQueryValueKey  (188,  (188, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01166   468   NtQueryValueKey  (184,  (184, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01167   468   NtQueryValueKey  (188,  (188, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01168   468   NtQueryValueKey  (184,  (184, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01169   468   NtQueryValueKey  (188,  (188, "DisableWanDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01170   468   NtQueryValueKey  (184,  (184, "RegistrationOverwritesInConflict", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01171   468   NtQueryValueKey  (188,  (188, "DisableReplaceAddressesInConflicts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01172   468   NtQueryValueKey  (184,  (184, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01173   468   NtQueryValueKey  (188,  (188, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01174   468   NtQueryValueKey  (184,  (184, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01175   468   NtQueryValueKey  (188,  (188, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01176   468   NtQueryValueKey  (184,  (184, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01177   468   NtQueryValueKey  (188,  (188, "MaxNumberOfAddressesToRegister", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01178   468   NtQueryValueKey  (184,  (184, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01179   468   NtQueryValueKey  (188,  (188, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01180   468   NtQueryValueKey  (184,  (184, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01181   468   NtQueryValueKey  (184,  (184, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01182   468   NtQueryValueKey  (184,  (184, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01183   468   NtQueryValueKey  (184,  (184, "MaxCacheSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01184   468   NtQueryValueKey  (184,  (184, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01185   468   NtQueryValueKey  (184,  (184, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01186   468   NtQueryValueKey  (184,  (184, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01187   468   NtQueryValueKey  (184,  (184, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01188   468   NtQueryValueKey  (184,  (184, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01189   468   NtQueryValueKey  (184,  (184, "UseMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01190   468   NtQueryValueKey  (184,  (184, "MulticastOnNameError", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01191   468   NtQueryValueKey  (184,  (184, "UseDotLocalDomain", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01192   468   NtQueryValueKey  (184,  (184, "ListenOnMulticast", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01193   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 192, ) }, ... 192, ) == 0x0
 01194   468   NtQueryValueKey  (192,  (192, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (192, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01195   468   NtClose  (192, ... ) == 0x0
 01196   468   NtClose  (188, ... ) == 0x0
 01197   468   NtClose  (184, ... ) == 0x0
 01198   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 184, ) }, ... 184, ) == 0x0
 01199   468   NtQueryValueKey  (184,  (184, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01200   468   NtQueryValueKey  (184,  (184, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01201   468   NtQueryValueKey  (184,  (184, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01202   468   NtClose  (184, ... ) == 0x0
 01203   468   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ... 1384448, 4096, ) == 0x0
 01204   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01205   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01206   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... 184, ) }, ... 184, ) == 0x0
 01207   468   NtQueryValueKey  (184,  (184, "MaxRpcSize", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01208   468   NtClose  (184, ... ) == 0x0
 01209   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01210   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 184, ) == 0x0
 01211   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 188, ) == 0x0
 01212   468   NtQuerySystemTime  (... {-887077132, 29889241}, ) == 0x0
 01213   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 192, ) == 0x0
 01214   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01215   468   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 0x0, ) == 0x0
 01216   468   NtQueryInformationProcess  (-1, QuotaLimits, 32, ... {process info, class 1, size 32}, 0x0, ) == 0x0
 01217   468   NtQueryInformationProcess  (-1, VmCounters, 44, ... {process info, class 3, size 44}, 0x0, ) == 0x0
 01218   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 196, ) == 0x0
 01219   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 200, ) == 0x0
 01220   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 01221   468   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1241804, 112, ... 208, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241804, 112, ... 208, 0x0, 0x0, 0x0, 112, ) == 0x0
 01222   468   NtRequestWaitReplyPort  (208, {128, 152, new_msg, 0, 1310720, 127136, 1310720, 1241568}  (208, {128, 152, new_msg, 0, 1310720, 127136, 1310720, 1241568} "\0$\370w\220\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\300'\25\0\350'\25\0X)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\325\0\0\0" ... {128, 152, reply, 0, 464, 468, 1574, 0} "\7$\370w\220\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\300'\25\0\350'\25\0X)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\325\0\0\0" )  ... {128, 152, reply, 0, 464, 468, 1574, 0}  (208, {128, 152, new_msg, 0, 1310720, 127136, 1310720, 1241568} "\0$\370w\220\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\300'\25\0\350'\25\0X)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\325\0\0\0" ... {128, 152, reply, 0, 464, 468, 1574, 0} "\7$\370w\220\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0x\1\24\0x\1\24\0\0\0\0\0\300'\25\0\350'\25\0X)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\325\0\0\0" )  ) == 0x0
 01223   468   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 0, 0, 0, 0, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 464, 468, 1575, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 468, 1575, 0}  (208, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 464, 468, 1575, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\360V\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01224   468   NtClose  (204, ... ) == 0x0
 01225   468   NtClose  (208, ... ) == 0x0
 01226   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01227   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01228   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01229   468   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01230   468   NtQueryValueKey  (208,  (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01231   468   NtClose  (208, ... ) == 0x0
 01232   468   NtClose  (204, ... ) == 0x0
 01233   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 01234   468   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1241668, 112, ... 208, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241668, 112, ... 208, 0x0, 0x0, 0x0, 112, ) == 0x0
 01235   468   NtRequestWaitReplyPort  (208, {128, 152, new_msg, 0, 1310720, 127000, 1310720, 1241432}  (208, {128, 152, new_msg, 0, 1310720, 127000, 1310720, 1241432} "\0$\370w\10\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0P'\25\0\360'\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0D\363\22\0x\1\24\0\0\0\0\0X)\25\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1578, 0} "\7$\370w\10\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0P'\25\0\360'\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0D\363\22\0x\1\24\0\0\0\0\0X)\25\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 468, 1578, 0}  (208, {128, 152, new_msg, 0, 1310720, 127000, 1310720, 1241432} "\0$\370w\10\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0P'\25\0\360'\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0D\363\22\0x\1\24\0\0\0\0\0X)\25\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1578, 0} "\7$\370w\10\370\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0P'\25\0\360'\25\0\0\0\0\0\10\0\0\0?\360\367w\221\337\314w\0\0\0\0\0\0\22\0D\363\22\0x\1\24\0\0\0\0\0X)\25\0\5\0\0\0" )  ) == 0x0
 01236   468   NtRequestWaitReplyPort  (208, {44, 68, new_msg, 0, 464, 468, 1575, 0}  (208, {44, 68, new_msg, 0, 464, 468, 1575, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 464, 468, 1579, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ... {40, 64, reply, 0, 464, 468, 1579, 0}  (208, {44, 68, new_msg, 0, 464, 468, 1575, 0} "\1\0\0\0A\2\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0" ... {40, 64, reply, 0, 464, 468, 1579, 0} "\2\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\324\1\0\0\240,\11\0" )  ) == 0x0
 01237   468   NtRequestWaitReplyPort  (208, {64, 88, new_msg, 56, 0, 1, 0, 0}  (208, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\363\22\0@\0\314w\350&\25\0\14\364\22\0t\364\22\0\0\267\362vt\364\22\0\350&\25\0\1\0\0\0\360*\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 464, 468, 1580, 0} "\10\363\22\0@\0\314w\350&\25\0\14\364\22\0t\364\22\0\0\267\362vt\364\22\0\350&\25\0\1\0\0\0\360*\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {64, 88, reply, 56, 464, 468, 1580, 0}  (208, {64, 88, new_msg, 56, 0, 1, 0, 0} "\10\363\22\0@\0\314w\350&\25\0\14\364\22\0t\364\22\0\0\267\362vt\364\22\0\350&\25\0\1\0\0\0\360*\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {64, 88, reply, 56, 464, 468, 1580, 0} "\10\363\22\0@\0\314w\350&\25\0\14\364\22\0t\364\22\0\0\267\362vt\364\22\0\350&\25\0\1\0\0\0\360*\25\0\324\1\0\0\324\1\0\0\240,\11\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 01238   468   NtClose  (204, ... ) == 0x0
 01239   468   NtClose  (208, ... ) == 0x0
 01240   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01241   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01242   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01243   468   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01244   468   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01245   468   NtClose  (208, ... ) == 0x0
 01246   468   NtClose  (204, ... ) == 0x0
 01247   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 204, ) }, ... 204, ) == 0x0
 01248   468   NtQueryValueKey  (204,  (204, "DnsNbtLookupOrder", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01249   468   NtClose  (204, ... ) == 0x0
 01250   468   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ... 1388544, 4096, ) == 0x0
 01251   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1241212, ... ) }, 1241212, ... ) == 0x0
 01252   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 204, {status=0x0, info=1}, ) }, 5, 96, ... 204, {status=0x0, info=1}, ) == 0x0
 01253   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 204, ... 208, ) == 0x0
 01254   468   NtClose  (204, ... ) == 0x0
 01255   468   NtMapViewOfSection  (208, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x8a0000), 0x0, 16384, ) == 0x0
 01256   468   NtClose  (208, ... ) == 0x0
 01257   468   NtUnmapViewOfSection  (-1, 0x8a0000, ... ) == 0x0
 01258   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 1241528, ... ) }, 1241528, ... ) == 0x0
 01259   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... 208, {status=0x0, info=1}, ) }, 5, 96, ... 208, {status=0x0, info=1}, ) == 0x0
 01260   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 208, ... 204, ) == 0x0
 01261   468   NtQuerySection  (204, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01262   468   NtClose  (208, ... ) == 0x0
 01263   468   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fb0000), 0x0, 28672, ) == 0x0
 01264   468   NtClose  (204, ... ) == 0x0
 01265   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... 204, ) }, ... 204, ) == 0x0
 01266   468   NtMapViewOfSection  (204, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f60000), 0x0, 180224, ) == 0x0
 01267   468   NtClose  (204, ... ) == 0x0
 01268   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 204, ) == 0x0
 01269   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 208, ) }, ... 208, ) == 0x0
 01270   468   NtQueryValueKey  (208,  (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01271   468   NtClose  (208, ... ) == 0x0
 01272   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1241212, ... ) }, 1241212, ... ) == 0x0
 01273   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01274   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9043968, 65536, ) == 0x0
 01275   468   NtAllocateVirtualMemory  (-1, 9043968, 0, 4096, 4096, 4, ... 9043968, 4096, ) == 0x0
 01276   468   NtAllocateVirtualMemory  (-1, 9048064, 0, 8192, 4096, 4, ... 9048064, 8192, ) == 0x0
 01277   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 208, ) == 0x0
 01278   468   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1241500, 112, ... 212, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1241500, 112, ... 212, 0x0, 0x0, 0x0, 112, ) == 0x0
 01279   468   NtRequestWaitReplyPort  (212, {128, 152, new_msg, 0, 1310720, 126832, 1310720, 1241264}  (212, {128, 152, new_msg, 0, 1310720, 126832, 1310720, 1241264} "\0$\370w`\367\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\3201\25\0\3701\25\0h3\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\223\1\0\0" ... {128, 152, reply, 0, 464, 468, 1583, 0} "\7$\370w`\367\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\3201\25\0\3701\25\0h3\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\223\1\0\0" )  ... {128, 152, reply, 0, 464, 468, 1583, 0}  (212, {128, 152, new_msg, 0, 1310720, 126832, 1310720, 1241264} "\0$\370w`\367\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\210)\25\0\4\0\0\0\210)\25\0\20\344\314w\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\3201\25\0\3701\25\0h3\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\223\1\0\0" ... {128, 152, reply, 0, 464, 468, 1583, 0} "\7$\370w`\367\22\0\2$\370w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\210)\25\0\377\377\377\377\210)\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0x\1\24\0x\1\24\0\0\0\0\0\3201\25\0\3701\25\0h3\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\223\1\0\0" )  ) == 0x0
 01280   468   NtRequestWaitReplyPort  (212, {64, 88, new_msg, 0, 464, 468, 1579, 0}  (212, {64, 88, new_msg, 0, 464, 468, 1579, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 464, 468, 1584, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 468, 1584, 0}  (212, {64, 88, new_msg, 0, 464, 468, 1579, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {52, 76, reply, 0, 464, 468, 1584, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 01281   468   NtClose  (208, ... ) == 0x0
 01282   468   NtClose  (212, ... ) == 0x0
 01283   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 212, 2, ) , 0, ... 212, 2, ) == 0x0
 01284   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 208, ) }, ... 208, ) == 0x0
 01285   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01286   468   NtQueryValueKey  (212,  (212, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01287   468   NtQueryValueKey  (212,  (212, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01288   468   NtClose  (212, ... ) == 0x0
 01289   468   NtClose  (208, ... ) == 0x0
 01290   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 01291   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 01292   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01293   468   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01294   468   NtQueryValueKey  (208,  (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (208, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01295   468   NtClose  (208, ... ) == 0x0
 01296   468   NtClose  (212, ... ) == 0x0
 01297   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01298   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 212, ) }, ... 212, ) == 0x0
 01299   468   NtQueryValueKey  (212,  (212, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01300   468   NtQueryValueKey  (212,  (212, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (212, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 01301   468   NtClose  (212, ... ) == 0x0
 01302   468   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 212, ) }, ... 212, ) == 0x0
 01303   468   NtWaitForSingleObject  (212, 0, {-1800000000, -1}, ... ) == 0x0
 01304   468   NtClose  (212, ... ) == 0x0
 01305   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 212, ) }, ... 212, ) == 0x0
 01306   468   NtOpenKey  (0x20019, {24, 212, 0x40, 0, 0,  (0x20019, {24, 212, 0x40, 0, 0, "ActiveComputerName"}, ... 208, ) }, ... 208, ) == 0x0
 01307   468   NtQueryValueKey  (208,  (208, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (208, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (208, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01308   468   NtClose  (208, ... ) == 0x0
 01309   468   NtClose  (212, ... ) == 0x0
 01310   468   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ... 212, ) == 0x0
 01311   468   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ... 208, ) == 0x0
 01312   468   NtDuplicateObject  (-1, 212, -1, 0x0, 0, 2, ... 216, ) == 0x0
 01313   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01314   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 220, ) == 0x0
 01315   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01316   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01317   468   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ... 1392640, 4096, ) == 0x0
 01318   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1242372,  (0xc0100080, {24, 0, 0x40, 0, 1242372, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 224, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 224, {status=0x0, info=1}, ) == 0x0
 01319   468   NtSetInformationFile  (224, 1242428, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01320   468   NtSetInformationFile  (224, 1242420, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01321   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01322   468   NtWriteFile  (224, 197, 0, 0,  (224, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01323   468   NtReadFile  (224, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (224, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01324   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\33\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\205"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01325   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 64, 1024, ... {status=0x103, info=48},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\2\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0\0\0\0\0", 64, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01326   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , 64, 1024, ... {status=0x103, info=624},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\3\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\02\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\2\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\2\0\0\340\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\316\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\226\1\0\0~\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0l\1\0\0B\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\1\0\0\32\1\0\0 \0\0\0\4\0\0\0\31\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0E\0R\0S\0v\0c\0\0\0DNS Client\0\0i\0e\0n\0t\0\0\0Dnscache\0\0c\0h\0e\0\0\0Logical Disk Manager\0\0k\0 \0M\0a\0n\0a\0g\0e\0r\0\0\0dmserver\0\0v\0e\0r\0\0\0DHCP Client\0l\0i\0e\0n\0t\0\0\0Dhcp\0\0p\0\0\0Cryptographic Services\0\0c\0 \0S\0e\0r\0v\0i\0c\0e\0s\0\0\0CryptSvc\0\0", ) , ) == 0x103
 01327   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\4\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0>\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\3\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\4\2\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\362\1\0\0\336\1\0\0 \0\0\0\4\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\306\1\0\0\242\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0d\1\0\0 \1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\1\0\0\356\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Help and Support\0\0S\0u\0p\0p\0o\0r\0t\0\0\0helpsvc\0s\0v\0c\0\0\0Fast User Switching Compatibility\0n\0g\0 \0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0FastUserSwitchingCompatibility\0\0g\0C\0o\0m\0p\0a\0t\0i\0b\0i\0l\0i\0t\0y\0\0\0COM+ Event System\0t\0 \0S\0y\0s\0t\0e\0m\0\0\0EventSystem\0y\0s\0t\0", ) , ) == 0x103
 01328   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , 64, 1024, ... {status=0x103, info=624},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\5\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0p\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\4\0\0\0X\2\0\0\0\0\0\0@\2\0\0&\2\0\0\30\2\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\364\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\314\1\0\0\240\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\214\1\0\0x\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0j\1\0\0B\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0:\1\0\0\370\0\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Network Location Awareness (NLA)\0\0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0\0\0Nla\0a\0\0\0Network Connections\0n\0n\0e\0c\0t\0i\0o\0n\0s\0\0\0Netman\0\0a\0n\0\0\0Messenger\0n\0g\0e\0r\0\0\0Messenger\0n\0g\0e\0r\0\0\0TCP/IP NetBIOS Helper\0I\0O\0S\0 \0H\0e\0l\0p\0e\0r\0\0\0LmHosts\0s\0t\0", ) , ) == 0x103
 01329   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , 64, 1024, ... {status=0x103, info=624},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\6\0\0\0(\0\0\0\0\0\32\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\1\0\0\0@\2\0\0\320\375\22\0\242\0\0\0", 64, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\5\0\0\0X\2\0\0\0\0\0\0@\2\0\0.\2\0\0\22\2\0\0 \0\0\0\4\0\0\0\204\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\372\1\0\0\334\1\0\0 \0\0\0\4\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\272\1\0\0\226\1\0\0 \1\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\0\0X\1\0\0 \0\0\0\4\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0L\1\0\0\24\1\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0a\0m\0S\0s\0\0\0Remote Procedure Call (RPC)\0r\0e\0 \0C\0a\0l\0l\0 \0(\0R\0P\0C\0)\0\0\0RpcSs\0S\0s\0\0\0Remote Registry\0e\0g\0i\0s\0t\0r\0y\0\0\0RemoteRegistry\0\0g\0i\0s\0t\0r\0y\0\0\0Protected Storage\0 \0S\0t\0o\0r\0a\0g\0e\0\0\0ProtectedStorage\0\0S\0t\0o\0r\0a\0g\0", ) , ) == 0x103
 01330   468   NtFsControlFile  (224, 197, 0x0, 0x0, 0x11c017,  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , 44, 1024, ... {status=0x103, info=624},  (224, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\7\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\345-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=624}, "\5\0\2\3\20\0\0\0p\2\0\0\6\0\0\0X\2\0\0\0\0\0\0@\2\0\04\2\0\0\0\2\0\0 \0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\356\1\0\0\320\1\0\0 \1\0\0\4\0\0\0G\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\276\1\0\0\236\1\0\0 \1\0\0\4\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\224\1\0\0`\1\0\0 \0\0\0\4\0\0\0A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>\1\0\0\14\1\0\0 \0\0\0\4\0\0\0\207\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\374\0\0\0\340\0\0\0\20\1\0\0\4\0\0\0E\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0Print Spooler\0p\0o\0o\0l\0e\0r\0\0\0Spooler\0l\0e\0r\0\0\0Shell Hardware Detection\0\0e\0 \0D\0e\0t\0e\0c\0t\0i\0o\0n\0\0\0ShellHWDetection\0\0t\0e\0c\0t\0i\0o\0n\0\0\0System Event Notification\0N\0o\0t\0i\0f\0i\0c\0a\0t\0i\0o\0n\0\0\0SENS\0\0S\0\0\0Secondary Logon\0y\0 \0L\0o\0g\0o\0n\0\0\0seclogon\0\0g\0o\0n\0\0\0Task Sch", ) , ) == 0x103
 01331   468   NtClose  (220, ... ) == 0x0
 01332   468   NtClose  (224, ... ) == 0x0
 01333   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "sensapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01334   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\sensapi.dll"}, 1242632, ... ) }, 1242632, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01335   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "sensapi.dll"}, 1242632, ... ) }, 1242632, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01336   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 1242632, ... ) }, 1242632, ... ) == 0x0
 01337   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\sensapi.dll"}, 5, 96, ... 224, {status=0x0, info=1}, ) }, 5, 96, ... 224, {status=0x0, info=1}, ) == 0x0
 01338   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 224, ... 220, ) == 0x0
 01339   468   NtQuerySection  (220, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01340   468   NtClose  (224, ... ) == 0x0
 01341   468   NtMapViewOfSection  (220, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x722b0000), 0x0, 20480, ) == 0x0
 01342   468   NtClose  (220, ... ) == 0x0
 01343   468   NtOpenSection  (0x4, {24, 56, 0x0, 0, 0,  (0x4, {24, 56, 0x0, 0, 0, "SENS Information Cache"}, ... 220, ) }, ... 220, ) == 0x0
 01344   468   NtMapViewOfSection  (220, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x8b0000), {0, 0}, 4096, ) == 0x0
 01345   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 224, ) == 0x0
 01346   468   NtConnectPort  ( ("\RPC Control\senssvc", {12, 2, 1, 1}, 0x0, 0x0, 1243096, 112, ... 228, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1243096, 112, ... 228, 0x0, 0x0, 0x0, 112, ) == 0x0
 01347   468   NtRequestWaitReplyPort  (228, {128, 152, new_msg, 0, 128428, 1310720, 1242860, 2012750850}  (228, {128, 152, new_msg, 0, 128428, 1310720, 1242860, 2012750850} "\0\375\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\20\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\00\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1587, 0} "\7\375\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\00\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 468, 1587, 0}  (228, {128, 152, new_msg, 0, 128428, 1310720, 1242860, 2012750850} "\0\375\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w(\20\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\00\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1587, 0} "\7\375\22\0\2$\370w\370T\367w$\344\373c) \321\21\215\270\0\252\0J\275^\1\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 \0\0\0\0\0\0\0\240\1\24\0\240\1\24\0\0\0+\00\23\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\20\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 01348   468   NtRequestWaitReplyPort  (228, {32, 56, new_msg, 0, 44, 7, 20, 0}  (228, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 464, 468, 1588, 0} "\2[\2\370\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\12\31\201\326\2\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\30\00\300p\322\22\201\326\2\0\0\30\00\300\0\0\0\0\350\219\341\0\0\0\0\377\377\234\1\340[\2\370\277\6O\200\30\00\300\340[\2\370X\5O\200\0\0\231\1\0\0\0\0\0\0\0\0\220\323/\201p\322\22\201\1\0\0\0" )  ... {124, 148, reply, 0, 464, 468, 1588, 0}  (228, {32, 56, new_msg, 0, 44, 7, 20, 0} "\1\0\0\0A\2\0\0\315~\334\21\261\310\0\14)\371\246\3050\0\0\0\377\377\377\377@\2\0\0" ... {124, 148, reply, 0, 464, 468, 1588, 0} "\2[\2\370\1\0N\200`9\210\200d8\0\0d8\0\0`9\210\200\260\12\31\201\326\2\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\30\00\300p\322\22\201\326\2\0\0\30\00\300\0\0\0\0\350\219\341\0\0\0\0\377\377\234\1\340[\2\370\277\6O\200\30\00\300\340[\2\370X\5O\200\0\0\231\1\0\0\0\0\0\0\0\0\220\323/\201p\322\22\201\1\0\0\0" )  ) == 0x0
 01349   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 01350   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "iphlpapi.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01351   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\iphlpapi.dll"}, 1242672, ... ) }, 1242672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01352   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "iphlpapi.dll"}, 1242672, ... ) }, 1242672, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01353   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 1242672, ... ) }, 1242672, ... ) == 0x0
 01354   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\iphlpapi.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01355   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01356   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01357   468   NtClose  (232, ... ) == 0x0
 01358   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d60000), 0x0, 86016, ) == 0x0
 01359   468   NtClose  (236, ... ) == 0x0
 01360   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "netman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01361   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\netman.dll"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01362   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "netman.dll"}, 1241868, ... ) }, 1241868, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01363   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 1241868, ... ) }, 1241868, ... ) == 0x0
 01364   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\netman.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01365   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01366   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01367   468   NtClose  (236, ... ) == 0x0
 01368   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76de0000), 0x0, 155648, ) == 0x0
 01369   468   NtClose  (232, ... ) == 0x0
 01370   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "MPRAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01371   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\MPRAPI.dll"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01372   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "MPRAPI.dll"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01373   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 01374   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\MPRAPI.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01375   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01376   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01377   468   NtClose  (232, ... ) == 0x0
 01378   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d40000), 0x0, 90112, ) == 0x0
 01379   468   NtClose  (236, ... ) == 0x0
 01380   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ACTIVEDS.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01381   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ACTIVEDS.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01382   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "ACTIVEDS.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01383   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01384   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ACTIVEDS.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01385   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01386   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01387   468   NtClose  (236, ... ) == 0x0
 01388   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e40000), 0x0, 192512, ) == 0x0
 01389   468   NtClose  (232, ... ) == 0x0
 01390   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "adsldpc.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01391   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\adsldpc.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01392   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "adsldpc.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01393   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 1239456, ... ) }, 1239456, ... ) == 0x0
 01394   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\adsldpc.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01395   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01396   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01397   468   NtClose  (232, ... ) == 0x0
 01398   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e10000), 0x0, 147456, ) == 0x0
 01399   468   NtClose  (236, ... ) == 0x0
 01400   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "NETAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01401   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\NETAPI32.dll"}, 1238652, ... ) }, 1238652, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01402   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "NETAPI32.dll"}, 1238652, ... ) }, 1238652, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01403   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 1238652, ... ) }, 1238652, ... ) == 0x0
 01404   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\NETAPI32.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01405   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01406   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01407   468   NtClose  (236, ... ) == 0x0
 01408   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71c20000), 0x0, 323584, ) == 0x0
 01409   468   NtClose  (232, ... ) == 0x0
 01410   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ATL.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01411   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\ATL.DLL"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01412   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "ATL.DLL"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01413   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 1239456, ... ) }, 1239456, ... ) == 0x0
 01414   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\ATL.DLL"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01415   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01416   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01417   468   NtClose  (232, ... ) == 0x0
 01418   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b20000), 0x0, 86016, ) == 0x0
 01419   468   NtClose  (236, ... ) == 0x0
 01420   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rtutils.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01421   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rtutils.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01422   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "rtutils.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01423   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01424   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rtutils.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01425   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01426   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01427   468   NtClose  (236, ... ) == 0x0
 01428   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e80000), 0x0, 53248, ) == 0x0
 01429   468   NtClose  (232, ... ) == 0x0
 01430   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SAMLIB.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01431   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SAMLIB.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01432   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "SAMLIB.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01433   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01434   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SAMLIB.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01435   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01436   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01437   468   NtClose  (232, ... ) == 0x0
 01438   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71bf0000), 0x0, 69632, ) == 0x0
 01439   468   NtClose  (236, ... ) == 0x0
 01440   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "SETUPAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01441   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\SETUPAPI.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01442   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "SETUPAPI.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01443   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01444   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\SETUPAPI.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01445   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01446   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01447   468   NtClose  (236, ... ) == 0x0
 01448   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76670000), 0x0, 933888, ) == 0x0
 01449   468   NtClose  (232, ... ) == 0x0
 01450   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RASAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01451   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\RASAPI32.dll"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01452   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "RASAPI32.dll"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01453   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 01454   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\RASAPI32.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01455   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01456   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01457   468   NtClose  (232, ... ) == 0x0
 01458   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76ee0000), 0x0, 225280, ) == 0x0
 01459   468   NtClose  (236, ... ) == 0x0
 01460   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasman.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01461   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasman.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01462   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "rasman.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01463   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01464   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasman.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01465   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01466   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01467   468   NtClose  (236, ... ) == 0x0
 01468   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76e90000), 0x0, 69632, ) == 0x0
 01469   468   NtClose  (232, ... ) == 0x0
 01470   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "TAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01471   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\TAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01472   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "TAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01473   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01474   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01475   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01476   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01477   468   NtClose  (232, ... ) == 0x0
 01478   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76eb0000), 0x0, 172032, ) == 0x0
 01479   468   NtClose  (236, ... ) == 0x0
 01480   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINMM.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01481   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINMM.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01482   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "WINMM.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01483   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 1239456, ... ) }, 1239456, ... ) == 0x0
 01484   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINMM.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01485   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01486   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01487   468   NtClose  (236, ... ) == 0x0
 01488   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76b40000), 0x0, 180224, ) == 0x0
 01489   468   NtClose  (232, ... ) == 0x0
 01490   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WZCSvc.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01491   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WZCSvc.DLL"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01492   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "WZCSvc.DLL"}, 1241064, ... ) }, 1241064, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01493   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 1241064, ... ) }, 1241064, ... ) == 0x0
 01494   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WZCSvc.DLL"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01495   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01496   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01497   468   NtClose  (232, ... ) == 0x0
 01498   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76da0000), 0x0, 196608, ) == 0x0
 01499   468   NtClose  (236, ... ) == 0x0
 01500   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WMI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01501   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WMI.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01502   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "WMI.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01503   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01504   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WMI.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01505   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01506   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01507   468   NtClose  (236, ... ) == 0x0
 01508   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d30000), 0x0, 16384, ) == 0x0
 01509   468   NtClose  (232, ... ) == 0x0
 01510   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DHCPCSVC.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01511   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DHCPCSVC.DLL"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01512   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "DHCPCSVC.DLL"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01513   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01514   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\DHCPCSVC.DLL"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01515   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01516   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01517   468   NtClose  (232, ... ) == 0x0
 01518   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76d80000), 0x0, 106496, ) == 0x0
 01519   468   NtClose  (236, ... ) == 0x0
 01520   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WTSAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01521   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WTSAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01522   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "WTSAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01523   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 1240260, ... ) }, 1240260, ... ) == 0x0
 01524   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WTSAPI32.dll"}, 5, 96, ... 236, {status=0x0, info=1}, ) }, 5, 96, ... 236, {status=0x0, info=1}, ) == 0x0
 01525   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 236, ... 232, ) == 0x0
 01526   468   NtQuerySection  (232, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01527   468   NtClose  (236, ... ) == 0x0
 01528   468   NtMapViewOfSection  (232, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76f50000), 0x0, 32768, ) == 0x0
 01529   468   NtClose  (232, ... ) == 0x0
 01530   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WINSTA.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01531   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WINSTA.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01532   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "WINSTA.dll"}, 1239456, ... ) }, 1239456, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01533   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 1239456, ... ) }, 1239456, ... ) == 0x0
 01534   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\WINSTA.dll"}, 5, 96, ... 232, {status=0x0, info=1}, ) }, 5, 96, ... 232, {status=0x0, info=1}, ) == 0x0
 01535   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 232, ... 236, ) == 0x0
 01536   468   NtQuerySection  (236, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01537   468   NtClose  (232, ... ) == 0x0
 01538   468   NtMapViewOfSection  (236, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76360000), 0x0, 61440, ) == 0x0
 01539   468   NtClose  (236, ... ) == 0x0
 01540   468   NtQueryDefaultLocale  (1, 1242544, ... ) == 0x0
 01541   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01542   468   NtAllocateVirtualMemory  (-1, 0, 0, 262144, 8192, 4, ... 9437184, 262144, ) == 0x0
 01543   468   NtAllocateVirtualMemory  (-1, 9437184, 0, 4096, 4096, 4, ... 9437184, 4096, ) == 0x0
 01544   468   NtAllocateVirtualMemory  (-1, 9441280, 0, 8192, 4096, 4, ... 9441280, 8192, ) == 0x0
 01545   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01546   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 01547   468   NtQueryDefaultLocale  (1, 1242504, ... ) == 0x0
 01548   468   NtQueryInformationProcess  (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0
 01549   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01550   468   NtQueryValueKey  (236,  (236, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01551   468   NtClose  (236, ... ) == 0x0
 01552   468   NtUserGetProcessWindowStation  (... ) == 0x28
 01553   468   NtUserGetObjectInformation  (40, 1, 1242176, 12, 1242188, ... ) == 0x1
 01554   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\WPA\PnP"}, ... 236, ) }, ... 236, ) == 0x0
 01555   468   NtQueryValueKey  (236,  (236, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (236, "seed", Partial, 144, ... TitleIdx=0, Type=4, Data="\345\252r\363"}, 16, ) }, 16, ) == 0x0
 01556   468   NtClose  (236, ... ) == 0x0
 01557   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01558   468   NtQueryValueKey  (236,  (236, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01559   468   NtQueryValueKey  (236,  (236, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "OsLoaderPath", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0\0\0"}, 16, ) }, 16, ) == 0x0
 01560   468   NtClose  (236, ... ) == 0x0
 01561   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01562   468   NtQueryValueKey  (236,  (236, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01563   468   NtQueryValueKey  (236,  (236, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "SystemPartition", Partial, 144, ... TitleIdx=0, Type=1, Data="\\0D\0e\0v\0i\0c\0e\0\\0H\0a\0r\0d\0d\0i\0s\0k\0V\0o\0l\0u\0m\0e\01\0\0\0"}, 60, ) }, 60, ) == 0x0
 01564   468   NtClose  (236, ... ) == 0x0
 01565   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01566   468   NtQueryValueKey  (236,  (236, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01567   468   NtQueryValueKey  (236,  (236, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "SourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01568   468   NtClose  (236, ... ) == 0x0
 01569   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01570   468   NtQueryValueKey  (236,  (236, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01571   468   NtQueryValueKey  (236,  (236, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (236, "ServicePackSourcePath", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0:\0\\0\0\0"}, 20, ) }, 20, ) == 0x0
 01572   468   NtClose  (236, ... ) == 0x0
 01573   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 236, ) }, ... 236, ) == 0x0
 01574   468   NtQueryValueKey  (236,  (236, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (236, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01575   468   NtQueryValueKey  (236,  (236, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (236, "DriverCachePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0D\0r\0i\0v\0e\0r\0 \0C\0a\0c\0h\0e\0\0\0"}, 64, ) }, 64, ) == 0x0
 01576   468   NtClose  (236, ... ) == 0x0
 01577   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 236, ) }, ... 236, ) == 0x0
 01578   468   NtQueryValueKey  (236,  (236, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (236, "DevicePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0i\0n\0f\0\0\0"}, 46, ) }, 46, ) == 0x0
 01579   468   NtClose  (236, ... ) == 0x0
 01580   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 236, ) == 0x0
 01581   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 232, ) == 0x0
 01582   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 240, ) == 0x0
 01583   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 244, ) == 0x0
 01584   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 248, ) == 0x0
 01585   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 252, ) == 0x0
 01586   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Setup"}, ... 256, ) }, ... 256, ) == 0x0
 01587   468   NtQueryValueKey  (256,  (256, "LogLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01588   468   NtQueryValueKey  (256,  (256, "LogPath", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01589   468   NtOpenKey  (0x1, {24, 256, 0x40, 0, 0,  (0x1, {24, 256, 0x40, 0, 0, "AppLogLevels"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01590   468   NtClose  (256, ... ) == 0x0
 01591   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\"}, 1242096, ... ) }, 1242096, ... ) == 0x0
 01592   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName\ActiveComputerName"}, ... 256, ) }, ... 256, ) == 0x0
 01593   468   NtQueryValueKey  (256,  (256, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (256, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (256, "ComputerName", Full, 128, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 01594   468   NtClose  (256, ... ) == 0x0
 01595   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 256, ) }, ... 256, ) == 0x0
 01596   468   NtQueryValueKey  (256,  (256, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (256, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) , Data= (256, "Hostname", Full, 128, ... TitleIdx=0, Type=1, Name="Hostname", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 52, ) }, 52, ) == 0x0
 01597   468   NtClose  (256, ... ) == 0x0
 01598   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\System\DNSclient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01599   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 256, ) }, ... 256, ) == 0x0
 01600   468   NtQueryValueKey  (256,  (256, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Full, 128, ... TitleIdx=0, Type=1, Name= (256, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) , Data= (256, "Domain", Full, 128, ... TitleIdx=0, Type=1, Name="Domain", Data="\0\0"}, 34, ) }, 34, ) == 0x0
 01601   468   NtClose  (256, ... ) == 0x0
 01602   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 256, ) == 0x0
 01603   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 260, ) == 0x0
 01604   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 264, ) == 0x0
 01605   468   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\DRIVERS32"}, ... 268, ) }, ... 268, ) == 0x0
 01606   468   NtQueryValueKey  (268,  (268, "wave", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01607   468   NtQueryValueKey  (268,  (268, "wave1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01608   468   NtQueryValueKey  (268,  (268, "wave2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01609   468   NtQueryValueKey  (268,  (268, "wave3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01610   468   NtQueryValueKey  (268,  (268, "wave4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01611   468   NtQueryValueKey  (268,  (268, "wave5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01612   468   NtQueryValueKey  (268,  (268, "wave6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01613   468   NtQueryValueKey  (268,  (268, "wave7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01614   468   NtQueryValueKey  (268,  (268, "wave8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01615   468   NtQueryValueKey  (268,  (268, "wave9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01616   468   NtQueryValueKey  (268,  (268, "midi", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01617   468   NtQueryValueKey  (268,  (268, "midi1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01618   468   NtQueryValueKey  (268,  (268, "midi2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01619   468   NtQueryValueKey  (268,  (268, "midi3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01620   468   NtQueryValueKey  (268,  (268, "midi4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01621   468   NtQueryValueKey  (268,  (268, "midi5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01622   468   NtQueryValueKey  (268,  (268, "midi6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01623   468   NtQueryValueKey  (268,  (268, "midi7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01624   468   NtQueryValueKey  (268,  (268, "midi8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01625   468   NtQueryValueKey  (268,  (268, "midi9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01626   468   NtQueryTimerResolution  (... 156250, 10000, 156250, ) == 0x0
 01627   468   NtQueryValueKey  (268,  (268, "aux", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01628   468   NtQueryValueKey  (268,  (268, "aux1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01629   468   NtQueryValueKey  (268,  (268, "aux2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01630   468   NtQueryValueKey  (268,  (268, "aux3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01631   468   NtQueryValueKey  (268,  (268, "aux4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01632   468   NtQueryValueKey  (268,  (268, "aux5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01633   468   NtQueryValueKey  (268,  (268, "aux6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01634   468   NtQueryValueKey  (268,  (268, "aux7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01635   468   NtQueryValueKey  (268,  (268, "aux8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01636   468   NtQueryValueKey  (268,  (268, "aux9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01637   468   NtUserRegisterWindowMessage  ( ("MSJSTICK_VJOYD_MSGSTR", ... ) , ... ) == 0xc07c
 01638   468   NtOpenKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm"}, ... 272, ) }, ... 272, ) == 0x0
 01639   468   NtQueryValueKey  (272,  (272, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (272, "wheel", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01640   468   NtClose  (272, ... ) == 0x0
 01641   468   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 0, 0,  (0x1f0003, {24, 56, 0x80, 0, 0, "DINPUTWINMM"}, 0, 0, ... ) }, 0, 0, ... ) == STATUS_ACCESS_DENIED
 01642   468   NtQueryValueKey  (268,  (268, "mixer", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01643   468   NtQueryValueKey  (268,  (268, "mixer1", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01644   468   NtQueryValueKey  (268,  (268, "mixer2", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01645   468   NtQueryValueKey  (268,  (268, "mixer3", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01646   468   NtQueryValueKey  (268,  (268, "mixer4", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01647   468   NtQueryValueKey  (268,  (268, "mixer5", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01648   468   NtQueryValueKey  (268,  (268, "mixer6", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01649   468   NtQueryValueKey  (268,  (268, "mixer7", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01650   468   NtQueryValueKey  (268,  (268, "mixer8", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01651   468   NtQueryValueKey  (268,  (268, "mixer9", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01652   468   NtQueryDefaultUILanguage  (1241064, ...
 01653   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01654   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 01655   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01656   468   NtClose  (-2147482032, ... ) == 0x0
 01657   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 01658   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01659   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 01660   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01661   468   NtClose  (-2147482044, ... ) == 0x0
 01662   468   NtClose  (-2147482032, ... ) == 0x0
 01652   468   NtQueryDefaultUILanguage  ... ) == 0x0
 01663   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01664   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll"}, 1, 96, ... 272, {status=0x0, info=1}, ) }, 1, 96, ... 272, {status=0x0, info=1}, ) == 0x0
 01665   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 272, ... 276, ) == 0x0
 01666   468   NtMapViewOfSection  (276, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x8c0000), 0x0, 163840, ) == 0x0
 01667   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01668   468   NtQueryDefaultLocale  (1, 1239100, ... ) == 0x0
 01669   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\TAPI32.dll.124.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01670   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1239956, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1239956, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\356\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\20\1\0\0\377\377\377\377\0\0\0\0\360Z\216\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1589, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\356\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\20\1\0\0\377\377\377\377\0\0\0\0\360Z\216\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\362\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 468, 1589, 0}  (24, {128, 156, new_msg, 0, 1239956, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\356\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\20\1\0\0\377\377\377\377\0\0\0\0\360Z\216\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\362\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1589, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\356\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\20\1\0\0\377\377\377\377\0\0\0\0\360Z\216\0\0\0\0\0\251\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\224\362\22\0\0\0\0\0" )  ) == 0x0
 01671   468   NtClose  (272, ... ) == 0x0
 01672   468   NtClose  (276, ... ) == 0x0
 01673   468   NtUnmapViewOfSection  (-1, 0x8c0000, ... ) == 0x0
 01674   468   NtUnmapViewOfSection  (-1, 0x12f294, ... ) == STATUS_NOT_MAPPED_VIEW
 01675   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01676   468   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ... 1396736, 4096, ) == 0x0
 01677   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01678   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01679   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01680   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1238184, ... ) }, 1238184, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01681   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01682   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01683   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01684   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1238776, ... ) }, 1238776, ... ) == 0x0
 01685   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 276, {status=0x0, info=1}, ) }, 3, 33, ... 276, {status=0x0, info=1}, ) == 0x0
 01686   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 01687   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Telephony"}, ... 272, ) }, ... 272, ) == 0x0
 01688   468   NtQueryValueKey  (272,  (272, "Tapi32MaxNumRequestRetries", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01689   468   NtQueryValueKey  (272,  (272, "Tapi32RequestRetryTimeout", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01690   468   NtClose  (272, ... ) == 0x0
 01691   468   NtCreateMutant  (0x1f0001, 0x0, 0, ... 272, ) == 0x0
 01692   468   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 1391264, 0,  (0x1f0001, {24, 56, 0x80, 1391264, 0, "RasPbFile"}, 0, ... ) }, 0, ... ) == STATUS_ACCESS_DENIED
 01693   468   NtOpenMutant  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "RasPbFile"}, ... 280, ) }, ... 280, ) == 0x0
 01694   468   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 284, ) == 0x0
 01695   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 288, ) == 0x0
 01696   468   NtCreateEvent  (0x1f0003, 0x0, 0, 1, ... 292, ) == 0x0
 01697   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 296, ) == 0x0
 01698   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 300, ) == 0x0
 01699   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 304, ) == 0x0
 01700   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 01701   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9175040, 65536, ) == 0x0
 01702   468   NtAllocateVirtualMemory  (-1, 9175040, 0, 4096, 4096, 4, ... 9175040, 4096, ) == 0x0
 01703   468   NtAllocateVirtualMemory  (-1, 9179136, 0, 8192, 4096, 4, ... 9179136, 8192, ) == 0x0
 01704   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 308, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 308, {status=0x0, info=0}, ) == 0x0
 01705   468   NtCreateFile  (0x40000000, {24, 0, 0x40, 0, 0,  (0x40000000, {24, 0, 0x40, 0, 0, "\Device\Tcp"}, 0x0, 128, 3, 3, 0, 0, 0, ... 312, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 312, {status=0x0, info=0}, ) == 0x0
 01706   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 316, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 316, {status=0x0, info=0}, ) == 0x0
 01707   468   NtCreateFile  (0x100003, {24, 0, 0x40, 0, 0,  (0x100003, {24, 0, 0x40, 0, 0, "\Device\Ip"}, 0x0, 128, 3, 3, 0, 0, 0, ... 320, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 320, {status=0x0, info=0}, ) == 0x0
 01708   468   NtCreateFile  (0x20100080, {24, 0, 0x40, 0, 1242628,  (0x20100080, {24, 0, 0x40, 0, 1242628, "\??\Ip"}, 0x0, 128, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=0}, ) }, 0x0, 128, 3, 1, 64, 0, 0, ... 324, {status=0x0, info=0}, ) == 0x0
 01709   468   NtAllocateVirtualMemory  (-1, 9187328, 0, 36864, 4096, 4, ... 9187328, 36864, ) == 0x0
 01710   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01711   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (308, 328, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01712   468   NtClose  (328, ... ) == 0x0
 01713   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01714   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\5xu\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , 36, 348, ... {status=0x0, info=118},  (308, 328, 0x0, 0x0, 0x120003, "\0\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=118}, "\1\0\0\0\30\0\0\0\360\5\0\0\200\226\230\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\5\0\0\0\5xu\344\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\241\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\32\0\0\0MS TCP Loopback interface\0", ) , ) == 0x0
 01715   468   NtClose  (328, ... ) == 0x0
 01716   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01717   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0%xu\344q`\0\0f\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\01Y\0\0e\0\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , 36, 348, ... {status=0x0, info=158},  (308, 328, 0x0, 0x0, 0x120003, "\0\2\0\0\1\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 348, ... {status=0x0, info=158}, "\3\0\1\0\6\0\0\0\334\5\0\0\0\312\232;\6\0\0\0\0\14)\371\246\305\0\0\1\0\0\0\5\0\0\0%xu\344q`\0\0f\0\0\0-\0\0\0\0\0\0\0\0\0\0\0\0\0\0\01Y\0\0e\0\0\0+\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0B\0\0\0AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport\0", ) , ) == 0x0
 01718   468   NtClose  (328, ... ) == 0x0
 01719   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01720   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01721   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , 36, 32768, ... {status=0x0, info=56},  (308, 328, 0x0, 0x0, 0x120003, "\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 32768, ... {status=0x0, info=56}, "\0\4\0\0\0\0\0\0\1\4\0\0\0\0\0\0\1\3\0\0\0\0\0\0\200\3\0\0\0\0\0\0\0\2\0\0\0\0\0\0\200\2\0\0\0\0\0\0\0\2\0\0\1\0\0\0", ) , ) == 0x0
 01722   468   NtClose  (328, ... ) == 0x0
 01723   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01724   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , 36, 4, ... {status=0x0, info=4},  (308, 328, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 4, ... {status=0x0, info=4}, "\200\2\0\0", ) , ) == 0x0
 01725   468   NtClose  (328, ... ) == 0x0
 01726   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 328, ) == 0x0
 01727   468   NtDeviceIoControlFile  (308, 328, 0x0, 0x0, 0x120003,  (308, 328, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , 36, 8, ... {status=0x0, info=8},  (308, 328, 0x0, 0x0, 0x120003, "\200\2\0\0\0\0\0\0\0\2\0\0\0\1\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 36, 8, ... {status=0x0, info=8}, "\1\0\0\0\3\0\1\0", ) , ) == 0x0
 01728   468   NtClose  (328, ... ) == 0x0
 01729   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01730   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01731   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01732   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01733   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01734   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01735   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01736   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01737   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01738   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01739   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01740   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01741   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01742   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01743   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01744   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01745   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01746   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01747   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01748   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01749   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01750   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01751   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01752   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01753   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01754   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01755   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01756   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01757   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01758   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01759   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01760   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01761   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01762   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01763   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01764   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01765   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01766   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01767   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01768   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01769   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01770   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01771   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01772   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01773   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01774   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01775   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01776   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01777   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01778   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01779   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01780   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01781   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01782   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01783   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01784   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01785   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01786   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01787   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01788   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01789   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01790   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01791   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01792   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01793   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01794   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01795   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01796   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01797   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01798   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01799   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01800   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01801   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01802   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01803   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01804   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01805   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01806   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01807   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01808   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01809   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01810   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01811   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01812   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01813   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01814   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01815   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01816   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01817   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01818   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01819   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01820   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01821   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01822   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01823   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01824   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01825   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01826   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01827   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01828   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01829   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01830   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01831   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01832   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01833   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01834   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01835   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01836   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01837   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01838   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01839   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01840   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01841   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01842   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01843   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01844   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01845   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01846   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01847   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01848   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01849   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 01850   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x20000,}, 28, ) == 0x0
 01851   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 01852   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 28, ) == 0x0
 01853   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 01854   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Linkage"}, ... 328, ) }, ... 328, ) == 0x0
 01855   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"}, ... 332, ) }, ... 332, ) == 0x0
 01856   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"}, ... 336, ) }, ... 336, ) == 0x0
 01857   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"}, ... 340, ) }, ... 340, ) == 0x0
 01858   468   NtQueryDefaultLocale  (1, 1242564, ... ) == 0x0
 01859   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01860   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01861   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 344, ) == 0x0
 01862   468   NtDeviceIoControlFile  (308, 344, 0x0, 0x0, 0x120003,  (308, 344, 0x0, 0x0, 0x120003, "\1\3\0\0\0\0\0\0\0\2\0\0\0\1\0\0\4\1\0\0\1\0\0\0Ur\214k\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0n\0\0\0Pw-", 51, 52, ... ) , 51, 52, ... ) == STATUS_HOST_UNREACHABLE
 01863   468   NtClose  (344, ... ) == 0x0
 01864   468   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 01865   468   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 01866   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 344, ) == 0x0
 01867   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 348, ) == 0x0
 01868   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 352, ) == 0x0
 01869   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 356, ) == 0x0
 01870   468   NtCreateKey  (0xf003f, {24, 32, 0x40, 0, 0,  (0xf003f, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing"}, 0, 0x0, 0, ... 360, 2, ) }, 0, 0x0, 0, ... 360, 2, ) == 0x0
 01871   468   NtQueryValueKey  (360,  (360, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (360, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01872   468   NtClose  (360, ... ) == 0x0
 01873   468   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ... 1400832, 4096, ) == 0x0
 01874   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 360, ) == 0x0
 01875   468   NtCreateSemaphore  (0x100003, 0x0, 0, 2147483647, ... 364, ) == 0x0
 01876   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Tracing\RASAPI32"}, ... 368, ) }, ... 368, ) == 0x0
 01877   468   NtQueryValueKey  (368,  (368, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01878   468   NtQueryValueKey  (368,  (368, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01879   468   NtQueryValueKey  (368,  (368, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01880   468   NtQueryValueKey  (368,  (368, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01881   468   NtQueryValueKey  (368,  (368, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01882   468   NtQueryValueKey  (368,  (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01883   468   NtQueryValueKey  (368,  (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01884   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 372, ) == 0x0
 01885   468   NtNotifyChangeKey  (368, 372, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01886   468   NtQueryValueKey  (368,  (368, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "EnableFileTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01887   468   NtQueryValueKey  (368,  (368, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "FileTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01888   468   NtQueryValueKey  (368,  (368, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "EnableConsoleTracing", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01889   468   NtQueryValueKey  (368,  (368, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "ConsoleTracingMask", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\377\377"}, 16, ) }, 16, ) == 0x0
 01890   468   NtQueryValueKey  (368,  (368, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (368, "MaxFileSize", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\20\0"}, 16, ) }, 16, ) == 0x0
 01891   468   NtQueryValueKey  (368,  (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01892   468   NtQueryValueKey  (368,  (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (368, "FileDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0w\0i\0n\0d\0i\0r\0%\0\\0t\0r\0a\0c\0i\0n\0g\0\0\0"}, 46, ) }, 46, ) == 0x0
 01893   468   NtNotifyChangeKey  (368, 372, 0, 0, 2011390432, 14, 0, 0, 0, 1, ... ) == 0x103
 01894   468   NtSetEvent  (356, ... 0x0, ) == 0x0
 01895   468   NtOpenEvent  (0x100000, {24, 56, 0x0, 0, 0,  (0x100000, {24, 56, 0x0, 0, 0, "Global\SvcctrlStartEvent_A3752DX"}, ... 376, ) }, ... 376, ) == 0x0
 01896   468   NtWaitForSingleObject  (376, 0, {-1800000000, -1}, ... ) == 0x0
 01897   468   NtClose  (376, ... ) == 0x0
 01898   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01899   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 376, ) == 0x0
 01900   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01901   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01902   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1241272,  (0xc0100080, {24, 0, 0x40, 0, 1241272, "\??\PIPE\svcctl"}, 0x0, 0, 3, 1, 4194368, 0, 0, ... 380, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 4194368, 0, 0, ... 380, {status=0x0, info=1}, ) == 0x0
 01903   468   NtSetInformationFile  (380, 1241328, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01904   468   NtSetInformationFile  (380, 1241320, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01905   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01906   468   NtWriteFile  (380, 197, 0, 0,  (380, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0\201\273z6D\230\3615\2552\230\3608\0\20\3\2\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01907   468   NtReadFile  (380, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (380, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\206"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x0
 01908   468   NtFsControlFile  (380, 197, 0x0, 0x0, 0x11c017,  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\206"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 36, 1024, ... {status=0x103, info=68},  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0$\0\0\0\1\0\0\0\14\0\0\0\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\200", 36, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\206"\0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) \0\0\15\0\PIPE\ntsvcs\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) == 0x103
 01909   468   NtFsControlFile  (380, 197, 0x0, 0x0, 0x11c017,  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 76, 1024, ... {status=0x103, info=48},  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0L\0\0\0\2\0\0\04\0\0\0\0\0\20\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305\7\0\0\0\0\0\0\0\7\0\0\0R\0A\0S\0M\0A\0N\0\0\0\0\0\4\0\0\0", 76, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01910   468   NtFsControlFile  (380, 197, 0x0, 0x0, 0x11c017,  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\6\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\2\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 01911   468   NtFsControlFile  (380, 197, 0x0, 0x0, 0x11c017,  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=56},  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\4\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\347-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=56}, "\5\0\2\3\20\0\0\08\0\0\0\3\0\0\0 \0\0\0\0\0\0\0 \0\0\0\1\0\0\0\0\0\0\05\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01912   468   NtFsControlFile  (380, 197, 0x0, 0x0, 0x11c017,  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=48},  (380, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\5\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\346-\10\4\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\4\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x103
 01913   468   NtClose  (376, ... ) == 0x0
 01914   468   NtClose  (380, ... ) == 0x0
 01915   468   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 01916   468   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01917   468   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01918   468   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01919   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01920   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 380, ) == 0x0
 01921   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01922   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01923   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238776,  (0xc0100080, {24, 0, 0x40, 0, 1238776, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 376, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 376, {status=0x0, info=1}, ) == 0x0
 01924   468   NtSetInformationFile  (376, 1238832, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 01925   468   NtSetInformationFile  (376, 1238824, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 01926   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 01927   468   NtWriteFile  (376, 197, 0, 0,  (376, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 01928   468   NtReadFile  (376, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (376, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20b \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01929   468   NtFsControlFile  (376, 197, 0x0, 0x0, 0x11c017,  (376, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20b \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (376, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20b \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01930   468   NtClose  (380, ... ) == 0x0
 01931   468   NtClose  (376, ... ) == 0x0
 01932   468   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 01933   468   NtCreateKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 380, 2, ) }, 0, 0x0, 0, ... 380, 2, ) == 0x0
 01934   468   NtClose  (376, ... ) == 0x0
 01935   468   NtQueryValueKey  (380,  (380, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01936   468   NtClose  (380, ... ) == 0x0
 01937   468   NtAllocateVirtualMemory  (-1, 1404928, 0, 20480, 4096, 4, ... 1404928, 20480, ) == 0x0
 01938   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 01939   468   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 01940   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 01941   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 01942   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 01943   468   NtQueryValueKey  (376,  (376, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "Common AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 82, ) }, 82, ) == 0x0
 01944   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "USERENV.dll"}, ... 384, ) }, ... 384, ) == 0x0
 01945   468   NtMapViewOfSection  (384, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x75a70000), 0x0, 667648, ) == 0x0
 01946   468   NtClose  (384, ... ) == 0x0
 01947   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 384, ) }, ... 384, ) == 0x0
 01948   468   NtQueryValueKey  (384,  (384, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01949   468   NtClose  (384, ... ) == 0x0
 01950   468   NtAllocateVirtualMemory  (-1, 8601600, 0, 4096, 4096, 4, ... 8601600, 4096, ) == 0x0
 01951   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 384, ) }, ... 384, ) == 0x0
 01952   468   NtQueryValueKey  (384,  (384, "ChkAccDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01953   468   NtClose  (384, ... ) == 0x0
 01954   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ProductOptions"}, ... 384, ) }, ... 384, ) == 0x0
 01955   468   NtQueryValueKey  (384,  (384, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (384, "ProductType", Partial, 144, ... TitleIdx=0, Type=1, Data="W\0i\0n\0N\0T\0\0\0"}, 24, ) }, 24, ) == 0x0
 01956   468   NtClose  (384, ... ) == 0x0
 01957   468   NtCreateEvent  (0x1f0003, {24, 56, 0x80, 1238768, 0,  (0x1f0003, {24, 56, 0x80, 1238768, 0, "Global\userenv:  User Profile setup event"}, 0, 1, ... 384, ) }, 0, 1, ... 384, ) == STATUS_OBJECT_NAME_EXISTS
 01958   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01959   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01960   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01961   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01962   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01963   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01964   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01965   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01966   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01967   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01968   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01969   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01970   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01971   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01972   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01973   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01974   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01975   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01976   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01977   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01978   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01979   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01980   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01981   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01982   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01983   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01984   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 01985   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 388, ) == 0x0
 01986   468   NtQueryInformationToken  (388, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 01987   468   NtClose  (388, ... ) == 0x0
 01988   468   NtOpenKey  (0x20019, {24, 0, 0x640, 0, 0,  (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 388, ) }, ... 388, ) == 0x0
 01989   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, ... 392, ) }, ... 392, ) == 0x0
 01990   468   NtQueryValueKey  (392,  (392, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (392, "Personal", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0M\0y\0 \0D\0o\0c\0u\0m\0e\0n\0t\0s\0\0\0"}, 66, ) }, 66, ) == 0x0
 01991   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01992   468   NtQueryValueKey  (392,  (392, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (392, "Local Settings", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 70, ) }, 70, ) == 0x0
 01993   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01994   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01995   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01996   468   NtQueryDefaultLocale  (1, 1236604, ... ) == 0x0
 01997   468   NtClose  (392, ... ) == 0x0
 01998   468   NtClose  (388, ... ) == 0x0
 01999   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 388, ) }, ... 388, ) == 0x0
 02000   468   NtQueryValueKey  (388,  (388, "RsopDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02001   468   NtClose  (388, ... ) == 0x0
 02002   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 388, ) }, ... 388, ) == 0x0
 02003   468   NtQueryValueKey  (388,  (388, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02004   468   NtQueryValueKey  (388,  (388, "RsopLogging", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02005   468   NtClose  (388, ... ) == 0x0
 02006   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02007   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\winlogon"}, ... 388, ) }, ... 388, ) == 0x0
 02008   468   NtQueryValueKey  (388,  (388, "UserEnvDebugLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02009   468   NtClose  (388, ... ) == 0x0
 02010   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\System"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02011   468   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 02012   468   NtAllocateVirtualMemory  (-1, 1425408, 0, 4096, 4096, 4, ... 1425408, 4096, ) == 0x0
 02013   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02014   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02015   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 388, ) }, ... 388, ) == 0x0
 02016   468   NtQueryValueKey  (388,  (388, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (388, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02017   468   NtClose  (388, ... ) == 0x0
 02018   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 388, ) }, ... 388, ) == 0x0
 02019   468   NtQueryValueKey  (388,  (388, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02020   468   NtClose  (388, ... ) == 0x0
 02021   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02022   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 388, ) }, ... 388, ) == 0x0
 02023   468   NtQueryKey  (388, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02024   468   NtQuerySecurityObject  (388, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02025   468   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02026   468   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02027   468   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02028   468   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02029   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02030   468   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02031   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02032   468   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02033   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02034   468   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02035   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02036   468   NtEnumerateValueKey  (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02037   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02038   468   NtEnumerateValueKey  (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02039   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02040   468   NtEnumerateValueKey  (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02041   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02042   468   NtEnumerateValueKey  (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02043   468   NtEnumerateValueKey  (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02044   468   NtEnumerateValueKey  (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (388, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02045   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02046   468   NtEnumerateValueKey  (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (388, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02047   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02048   468   NtEnumerateValueKey  (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (388, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02049   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02050   468   NtEnumerateValueKey  (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (388, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02051   468   NtEnumerateValueKey  (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (388, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02052   468   NtEnumerateValueKey  (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (388, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02053   468   NtEnumerateValueKey  (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (388, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02054   468   NtEnumerateValueKey  (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (388, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02055   468   NtEnumerateValueKey  (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (388, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02056   468   NtEnumerateValueKey  (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (388, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02057   468   NtEnumerateValueKey  (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (388, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02058   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02059   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02060   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239692, ... ) }, 1239692, ... ) == 0x0
 02061   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02062   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02063   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02064   468   NtEnumerateValueKey  (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (388, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02065   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02066   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02067   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239692, ... ) }, 1239692, ... ) == 0x0
 02068   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02069   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02070   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02071   468   NtClose  (388, ... ) == 0x0
 02072   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 388, ) }, ... 388, ) == 0x0
 02073   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "ActiveComputerName"}, ... 392, ) }, ... 392, ) == 0x0
 02074   468   NtQueryValueKey  (392,  (392, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (392, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (392, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02075   468   NtClose  (392, ... ) == 0x0
 02076   468   NtClose  (388, ... ) == 0x0
 02077   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02078   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 388, ) }, ... 388, ) == 0x0
 02079   468   NtQueryValueKey  (388,  (388, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (388, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02080   468   NtClose  (388, ... ) == 0x0
 02081   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 388, ) }, ... 388, ) == 0x0
 02082   468   NtQueryValueKey  (388,  (388, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02083   468   NtClose  (388, ... ) == 0x0
 02084   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02085   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 388, ) }, ... 388, ) == 0x0
 02086   468   NtQueryValueKey  (388,  (388, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02087   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02088   468   NtQueryValueKey  (388,  (388, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (388, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02089   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02090   468   NtClose  (388, ... ) == 0x0
 02091   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02092   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER"}, ... 388, ) }, ... 388, ) == 0x0
 02093   468   NtSetInformationObject  (388, Handle, {Inherit=0,ProtectFromClose=1,}, 2011365632, ... ) == 0x0
 02094   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 02095   468   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02096   468   NtQueryInformationToken  (380, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02097   468   NtDuplicateToken  (380, 0xc, {24, 0, 0x0, 0, 1241076, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02098   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02099   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02100   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02101   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02102   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02103   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239280,  (0xc0100080, {24, 0, 0x40, 0, 1239280, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02104   468   NtSetInformationFile  (400, 1239336, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02105   468   NtSetInformationFile  (400, 1239328, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02106   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02107   468   NtWriteFile  (400, 197, 0, 0,  (400, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02108   468   NtReadFile  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20c \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02109   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20c \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20c \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02110   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\357\22\0\1\0\0\0 \273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\357\22\0\1\0\0\0 \273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02111   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\372A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02112   468   NtClose  (396, ... ) == 0x0
 02113   468   NtClose  (400, ... ) == 0x0
 02114   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02115   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 02116   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02117   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02118   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239276,  (0xc0100080, {24, 0, 0x40, 0, 1239276, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02119   468   NtSetInformationFile  (396, 1239332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02120   468   NtSetInformationFile  (396, 1239324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02121   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02122   468   NtWriteFile  (396, 197, 0, 0,  (396, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02123   468   NtReadFile  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20d \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02124   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20d \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20d \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02125   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\330\357\22\0\1\0\0\0 \273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\330\357\22\0\1\0\0\0 \273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02126   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\373A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02127   468   NtClose  (400, ... ) == 0x0
 02128   468   NtClose  (396, ... ) == 0x0
 02129   468   NtOpenEvent  (0x100000, {24, 0, 0x0, 0, 0,  (0x100000, {24, 0, 0x0, 0, 0, "\INSTALLATION_SECURITY_HOLD"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02130   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02131   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02132   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02133   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02134   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238908,  (0xc0100080, {24, 0, 0x40, 0, 1238908, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02135   468   NtSetInformationFile  (400, 1238964, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02136   468   NtSetInformationFile  (400, 1238956, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02137   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02138   468   NtWriteFile  (400, 197, 0, 0,  (400, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0j(\319\14\261\320\21\233\250\0\300O\331.\365\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02139   468   NtReadFile  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20e \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02140   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20e \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 26, 1024, ... {status=0x103, info=68},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\32\0\0\0\1\0\0\0\2\0\0\0\0\0\0\0\1\0", 26, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20e \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02141   468   NtClose  (396, ... ) == 0x0
 02142   468   NtClose  (400, ... ) == 0x0
 02143   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02144   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02145   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02146   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02147   468   NtQueryValueKey  (400,  (400, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (400, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02148   468   NtClose  (400, ... ) == 0x0
 02149   468   NtCreateKey  (0x2001f, {24, 392, 0x40, 0, 0,  (0x2001f, {24, 392, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02150   468   NtQueryValueKey  (400,  (400, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02151   468   NtClose  (400, ... ) == 0x0
 02152   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02153   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02154   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 02155   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240988,  (0x80100080, {24, 0, 0x40, 0, 1240988, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02156   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02157   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02158   468   NtQueryInformationFile  (400, 1241004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02159   468   NtReadFile  (400, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02160   468   NtClose  (400, ... ) == 0x0
 02161   468   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Environment"}, ... 400, ) }, ... 400, ) == 0x0
 02162   468   NtAllocateVirtualMemory  (-1, 1429504, 0, 12288, 4096, 4, ... 1429504, 12288, ) == 0x0
 02163   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02164   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02165   468   NtEnumerateValueKey  (400, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02166   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02167   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02168   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02169   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239720, ... ) }, 1239720, ... ) == 0x0
 02170   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02171   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02172   468   NtClose  (396, ... ) == 0x0
 02173   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02174   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02175   468   NtClose  (396, ... ) == 0x0
 02176   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02177   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02178   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02179   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02180   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02181   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02182   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239720, ... ) }, 1239720, ... ) == 0x0
 02183   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02184   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02185   468   NtClose  (396, ... ) == 0x0
 02186   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02187   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02188   468   NtClose  (396, ... ) == 0x0
 02189   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02190   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02191   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02192   468   NtEnumerateValueKey  (400, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02193   468   NtClose  (400, ... ) == 0x0
 02194   468   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Volatile Environment"}, ... 400, ) }, ... 400, ) == 0x0
 02195   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02196   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02197   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02198   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02199   468   NtEnumerateValueKey  (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02200   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02201   468   NtEnumerateValueKey  (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02202   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02203   468   NtEnumerateValueKey  (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02204   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02205   468   NtEnumerateValueKey  (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02206   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02207   468   NtEnumerateValueKey  (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02208   468   NtEnumerateValueKey  (400, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02209   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02210   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02211   468   NtEnumerateValueKey  (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02212   468   NtEnumerateValueKey  (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02213   468   NtEnumerateValueKey  (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02214   468   NtEnumerateValueKey  (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02215   468   NtEnumerateValueKey  (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02216   468   NtEnumerateValueKey  (400, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02217   468   NtClose  (400, ... ) == 0x0
 02218   468   NtClose  (392, ... ) == 0x0
 02219   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 4096, ) == 0x0
 02220   468   NtClose  (376, ... ) == 0x0
 02221   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 02222   468   NtCreateKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02223   468   NtSetValueKey  (376,  (376, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 0, 1,  (376, "Common AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 106, ... ) , 106, ... ) == 0x0
 02224   468   NtClose  (376, ... ) == 0x0
 02225   468   NtClose  (380, ... ) == 0x0
 02226   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02227   468   NtQueryDirectoryFile  (380, 0, 0, 0, 1240620, 616, BothDirectory, 1,  (380, 0, 0, 0, 1240620, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02228   468   NtClose  (380, ... ) == 0x0
 02229   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 380, {status=0x0, info=1}, ) }, 3, 16417, ... 380, {status=0x0, info=1}, ) == 0x0
 02230   468   NtQueryDirectoryFile  (380, 0, 0, 0, 1240620, 616, BothDirectory, 1,  (380, 0, 0, 0, 1240620, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02231   468   NtClose  (380, ... ) == 0x0
 02232   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02233   468   NtOpenProcessToken  (-1, 0xc, ... 380, ) == 0x0
 02234   468   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02235   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02236   468   NtCreateKey  (0x2000000, {24, 376, 0x40, 0, 0,  (0x2000000, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 02237   468   NtClose  (376, ... ) == 0x0
 02238   468   NtQueryValueKey  (392,  (392, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (392, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02239   468   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 02240   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02241   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02242   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02243   468   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02244   468   NtClose  (376, ... ) == 0x0
 02245   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02246   468   NtQueryValueKey  (376,  (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02247   468   NtClose  (376, ... ) == 0x0
 02248   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02249   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 376, ) }, ... 376, ) == 0x0
 02250   468   NtQueryKey  (376, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02251   468   NtQuerySecurityObject  (376, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02252   468   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02253   468   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02254   468   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02255   468   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02256   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02257   468   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02258   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02259   468   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02260   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02261   468   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02262   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02263   468   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02264   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02265   468   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02266   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02267   468   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02268   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02269   468   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02270   468   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02271   468   NtEnumerateValueKey  (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (376, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02272   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02273   468   NtEnumerateValueKey  (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (376, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02274   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02275   468   NtEnumerateValueKey  (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (376, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02276   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02277   468   NtEnumerateValueKey  (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (376, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02278   468   NtEnumerateValueKey  (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (376, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02279   468   NtEnumerateValueKey  (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (376, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02280   468   NtEnumerateValueKey  (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (376, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02281   468   NtEnumerateValueKey  (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (376, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02282   468   NtEnumerateValueKey  (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (376, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02283   468   NtEnumerateValueKey  (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (376, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02284   468   NtEnumerateValueKey  (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02285   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02286   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02287   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239692, ... ) }, 1239692, ... ) == 0x0
 02288   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02289   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02290   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02291   468   NtEnumerateValueKey  (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (376, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02292   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02293   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02294   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1239692, ... ) }, 1239692, ... ) == 0x0
 02295   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02296   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02297   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02298   468   NtClose  (376, ... ) == 0x0
 02299   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 376, ) }, ... 376, ) == 0x0
 02300   468   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "ActiveComputerName"}, ... 400, ) }, ... 400, ) == 0x0
 02301   468   NtQueryValueKey  (400,  (400, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (400, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (400, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02302   468   NtClose  (400, ... ) == 0x0
 02303   468   NtClose  (376, ... ) == 0x0
 02304   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02305   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02306   468   NtQueryValueKey  (376,  (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (376, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02307   468   NtClose  (376, ... ) == 0x0
 02308   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 376, ) }, ... 376, ) == 0x0
 02309   468   NtQueryValueKey  (376,  (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02310   468   NtClose  (376, ... ) == 0x0
 02311   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02312   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 376, ) }, ... 376, ) == 0x0
 02313   468   NtQueryValueKey  (376,  (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02314   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02315   468   NtQueryValueKey  (376,  (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (376, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02316   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02317   468   NtClose  (376, ... ) == 0x0
 02318   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02319   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 376, ) }, ... 376, ) == 0x0
 02320   468   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02321   468   NtQueryInformationToken  (380, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02322   468   NtDuplicateToken  (380, 0xc, {24, 0, 0x0, 0, 1241076, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02323   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02324   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02325   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 400, ) == 0x0
 02326   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02327   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02328   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239280,  (0xc0100080, {24, 0, 0x40, 0, 1239280, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02329   468   NtSetInformationFile  (396, 1239336, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02330   468   NtSetInformationFile  (396, 1239328, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02331   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02332   468   NtWriteFile  (396, 197, 0, 0,  (396, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02333   468   NtReadFile  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02334   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\244\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20f \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02335   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\357\22\0\1\0\0\0H\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\334\357\22\0\1\0\0\0H\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02336   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\374A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02337   468   NtClose  (400, ... ) == 0x0
 02338   468   NtClose  (396, ... ) == 0x0
 02339   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02340   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02341   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02342   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02343   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1239276,  (0xc0100080, {24, 0, 0x40, 0, 1239276, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02344   468   NtSetInformationFile  (400, 1239332, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02345   468   NtSetInformationFile  (400, 1239324, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02346   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02347   468   NtWriteFile  (400, 197, 0, 0,  (400, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02348   468   NtReadFile  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (400, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20g \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02349   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20g \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\240\357\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20g \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02350   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\330\357\22\0\1\0\0\0H\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\330\357\22\0\1\0\0\0H\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02351   468   NtFsControlFile  (400, 197, 0x0, 0x0, 0x11c017,  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (400, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\375A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02352   468   NtClose  (396, ... ) == 0x0
 02353   468   NtClose  (400, ... ) == 0x0
 02354   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02355   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02356   468   NtQueryInformationToken  (380, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02357   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02358   468   NtQueryValueKey  (400,  (400, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (400, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02359   468   NtClose  (400, ... ) == 0x0
 02360   468   NtCreateKey  (0x2001f, {24, 376, 0x40, 0, 0,  (0x2001f, {24, 376, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02361   468   NtQueryValueKey  (400,  (400, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (400, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02362   468   NtClose  (400, ... ) == 0x0
 02363   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02364   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02365   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1240980, ... ) }, 1240980, ... ) == 0x0
 02366   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240988,  (0x80100080, {24, 0, 0x40, 0, 1240988, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 400, {status=0x0, info=1}, ) == 0x0
 02367   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02368   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02369   468   NtQueryInformationFile  (400, 1241004, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02370   468   NtReadFile  (400, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02371   468   NtClose  (400, ... ) == 0x0
 02372   468   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Environment"}, ... 400, ) }, ... 400, ) == 0x0
 02373   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02374   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02375   468   NtEnumerateValueKey  (400, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02376   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02377   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02378   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02379   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239720, ... ) }, 1239720, ... ) == 0x0
 02380   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02381   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02382   468   NtClose  (396, ... ) == 0x0
 02383   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02384   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02385   468   NtClose  (396, ... ) == 0x0
 02386   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02387   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02388   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02389   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02390   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02391   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02392   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1239720, ... ) }, 1239720, ... ) == 0x0
 02393   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02394   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02395   468   NtClose  (396, ... ) == 0x0
 02396   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 396, {status=0x0, info=1}, ) }, 3, 16417, ... 396, {status=0x0, info=1}, ) == 0x0
 02397   468   NtQueryDirectoryFile  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1,  (396, 0, 0, 0, 1239080, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02398   468   NtClose  (396, ... ) == 0x0
 02399   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02400   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02401   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02402   468   NtEnumerateValueKey  (400, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02403   468   NtClose  (400, ... ) == 0x0
 02404   468   NtOpenKey  (0x20019, {24, 376, 0x40, 0, 0,  (0x20019, {24, 376, 0x40, 0, 0, "Volatile Environment"}, ... 400, ) }, ... 400, ) == 0x0
 02405   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02406   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02407   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02408   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02409   468   NtEnumerateValueKey  (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02410   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02411   468   NtEnumerateValueKey  (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02412   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02413   468   NtEnumerateValueKey  (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02414   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02415   468   NtEnumerateValueKey  (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02416   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02417   468   NtEnumerateValueKey  (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02418   468   NtEnumerateValueKey  (400, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02419   468   NtEnumerateValueKey  (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (400, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02420   468   NtEnumerateValueKey  (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (400, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02421   468   NtEnumerateValueKey  (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (400, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02422   468   NtEnumerateValueKey  (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (400, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02423   468   NtEnumerateValueKey  (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (400, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02424   468   NtEnumerateValueKey  (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (400, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02425   468   NtEnumerateValueKey  (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (400, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02426   468   NtEnumerateValueKey  (400, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02427   468   NtClose  (400, ... ) == 0x0
 02428   468   NtClose  (376, ... ) == 0x0
 02429   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 4096, ) == 0x0
 02430   468   NtClose  (392, ... ) == 0x0
 02431   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1241644, ... ) }, 1241644, ... ) == 0x0
 02432   468   NtQueryInformationToken  (380, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02433   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 02434   468   NtCreateKey  (0x2000000, {24, 392, 0x40, 0, 0,  (0x2000000, {24, 392, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 376, 2, ) }, 0, 0x0, 0, ... 376, 2, ) == 0x0
 02435   468   NtClose  (392, ... ) == 0x0
 02436   468   NtSetValueKey  (376,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (376, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02437   468   NtClose  (376, ... ) == 0x0
 02438   468   NtClose  (380, ... ) == 0x0
 02439   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02440   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02441   468   NtQueryInformationFile  (92, 1242692, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02442   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02443   468   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2 \252\25\0" ... {176, 200, reply, 0, 464, 468, 1590, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 464, 468, 1590, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\0\2 \252\25\0" ... {176, 200, reply, 0, 464, 468, 1590, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\0\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02444   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02445   468   NtOpenThreadToken  (-2, 0x20008, 1, ... ) == STATUS_NO_TOKEN
 02446   468   NtOpenProcessToken  (-1, 0x20008, ... 380, ) == 0x0
 02447   468   NtQueryInformationToken  (380, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02448   468   NtClose  (380, ... ) == 0x0
 02449   468   NtOpenKey  (0x3, {24, 388, 0x40, 0, 0,  (0x3, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 380, ) }, ... 380, ) == 0x0
 02450   468   NtOpenKey  (0x1, {24, 380, 0x40, 0, 0,  (0x1, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 376, ) }, ... 376, ) == 0x0
 02451   468   NtQueryValueKey  (376,  (376, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "MigrateProxy", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02452   468   NtClose  (376, ... ) == 0x0
 02453   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02454   468   NtOpenProcessToken  (-1, 0xc, ... 376, ) == 0x0
 02455   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 02456   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 02457   468   NtClose  (376, ... ) == 0x0
 02458   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 02459   468   NtQueryDirectoryFile  (376, 0, 0, 0, 1239756, 616, BothDirectory, 1,  (376, 0, 0, 0, 1239756, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02460   468   NtClose  (376, ... ) == 0x0
 02461   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 376, {status=0x0, info=1}, ) }, 3, 16417, ... 376, {status=0x0, info=1}, ) == 0x0
 02462   468   NtQueryDirectoryFile  (376, 0, 0, 0, 1239756, 616, BothDirectory, 1,  (376, 0, 0, 0, 1239756, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02463   468   NtClose  (376, ... ) == 0x0
 02464   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02465   468   NtOpenProcessToken  (-1, 0xc, ... 376, ) == 0x0
 02466   468   NtQueryInformationToken  (376, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02467   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 02468   468   NtCreateKey  (0x2000000, {24, 392, 0x40, 0, 0,  (0x2000000, {24, 392, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 400, 2, ) }, 0, 0x0, 0, ... 400, 2, ) == 0x0
 02469   468   NtClose  (392, ... ) == 0x0
 02470   468   NtQueryValueKey  (400,  (400, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (400, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02471   468   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9240576, 4096, ) == 0x0
 02472   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02473   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02474   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 392, ) }, ... 392, ) == 0x0
 02475   468   NtQueryValueKey  (392,  (392, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (392, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02476   468   NtClose  (392, ... ) == 0x0
 02477   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 392, ) }, ... 392, ) == 0x0
 02478   468   NtQueryValueKey  (392,  (392, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02479   468   NtClose  (392, ... ) == 0x0
 02480   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02481   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 392, ) }, ... 392, ) == 0x0
 02482   468   NtQueryKey  (392, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02483   468   NtQuerySecurityObject  (392, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02484   468   NtEnumerateValueKey  (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02485   468   NtEnumerateValueKey  (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02486   468   NtEnumerateValueKey  (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02487   468   NtEnumerateValueKey  (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02488   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02489   468   NtEnumerateValueKey  (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02490   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02491   468   NtEnumerateValueKey  (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02492   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02493   468   NtEnumerateValueKey  (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02494   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02495   468   NtEnumerateValueKey  (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02496   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02497   468   NtEnumerateValueKey  (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02498   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02499   468   NtEnumerateValueKey  (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02500   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02501   468   NtEnumerateValueKey  (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02502   468   NtEnumerateValueKey  (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02503   468   NtEnumerateValueKey  (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (392, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02504   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02505   468   NtEnumerateValueKey  (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (392, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02506   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02507   468   NtEnumerateValueKey  (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (392, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02508   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02509   468   NtEnumerateValueKey  (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (392, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02510   468   NtEnumerateValueKey  (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (392, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02511   468   NtEnumerateValueKey  (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (392, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02512   468   NtEnumerateValueKey  (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (392, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02513   468   NtEnumerateValueKey  (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (392, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02514   468   NtEnumerateValueKey  (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (392, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02515   468   NtEnumerateValueKey  (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (392, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02516   468   NtEnumerateValueKey  (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (392, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02517   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02518   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02519   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238828, ... ) }, 1238828, ... ) == 0x0
 02520   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02521   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02522   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02523   468   NtEnumerateValueKey  (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (392, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02524   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02525   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02526   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238828, ... ) }, 1238828, ... ) == 0x0
 02527   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02528   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02529   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02530   468   NtClose  (392, ... ) == 0x0
 02531   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 392, ) }, ... 392, ) == 0x0
 02532   468   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "ActiveComputerName"}, ... 396, ) }, ... 396, ) == 0x0
 02533   468   NtQueryValueKey  (396,  (396, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (396, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (396, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 02534   468   NtClose  (396, ... ) == 0x0
 02535   468   NtClose  (392, ... ) == 0x0
 02536   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02537   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 392, ) }, ... 392, ) == 0x0
 02538   468   NtQueryValueKey  (392,  (392, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (392, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02539   468   NtClose  (392, ... ) == 0x0
 02540   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 392, ) }, ... 392, ) == 0x0
 02541   468   NtQueryValueKey  (392,  (392, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 02542   468   NtClose  (392, ... ) == 0x0
 02543   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02544   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 392, ) }, ... 392, ) == 0x0
 02545   468   NtQueryValueKey  (392,  (392, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 02546   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02547   468   NtQueryValueKey  (392,  (392, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (392, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 02548   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02549   468   NtClose  (392, ... ) == 0x0
 02550   468   NtQueryInformationToken  (376, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02551   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 392, ) }, ... 392, ) == 0x0
 02552   468   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 02553   468   NtQueryInformationToken  (376, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 02554   468   NtDuplicateToken  (376, 0xc, {24, 0, 0x0, 0, 1240212, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 02555   468   NtQueryInformationToken  (376, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02556   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02557   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 396, ) == 0x0
 02558   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02559   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02560   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238416,  (0xc0100080, {24, 0, 0x40, 0, 1238416, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 404, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 404, {status=0x0, info=1}, ) == 0x0
 02561   468   NtSetInformationFile  (404, 1238472, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02562   468   NtSetInformationFile  (404, 1238464, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02563   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02564   468   NtWriteFile  (404, 197, 0, 0,  (404, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02565   468   NtReadFile  (404, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (404, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20h \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02566   468   NtFsControlFile  (404, 197, 0x0, 0x0, 0x11c017,  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\354\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20h \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0D\354\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20h \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02567   468   NtFsControlFile  (404, 197, 0x0, 0x0, 0x11c017,  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0|\354\22\0\1\0\0\0\350\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0|\354\22\0\1\0\0\0\350\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02568   468   NtFsControlFile  (404, 197, 0x0, 0x0, 0x11c017,  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (404, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\376A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02569   468   NtClose  (396, ... ) == 0x0
 02570   468   NtClose  (404, ... ) == 0x0
 02571   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02572   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 404, ) == 0x0
 02573   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02574   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02575   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238412,  (0xc0100080, {24, 0, 0x40, 0, 1238412, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02576   468   NtSetInformationFile  (396, 1238468, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 02577   468   NtSetInformationFile  (396, 1238460, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 02578   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 02579   468   NtWriteFile  (396, 197, 0, 0,  (396, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 02580   468   NtReadFile  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (396, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20i \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 02581   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\354\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20i \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\354\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20i \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 02582   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0x\354\22\0\1\0\0\0\350\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0x\354\22\0\1\0\0\0\350\273\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 02583   468   NtFsControlFile  (396, 197, 0x0, 0x0, 0x11c017,  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (396, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\377A\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0h\22\25\0\1\0\0\0t\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\200\22\25\0\220\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 02584   468   NtClose  (404, ... ) == 0x0
 02585   468   NtClose  (396, ... ) == 0x0
 02586   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02587   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02588   468   NtQueryInformationToken  (376, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 02589   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 396, ) }, ... 396, ) == 0x0
 02590   468   NtQueryValueKey  (396,  (396, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (396, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 02591   468   NtClose  (396, ... ) == 0x0
 02592   468   NtCreateKey  (0x2001f, {24, 392, 0x40, 0, 0,  (0x2001f, {24, 392, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 396, 2, ) }, 0, 0x0, 0, ... 396, 2, ) == 0x0
 02593   468   NtQueryValueKey  (396,  (396, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (396, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02594   468   NtClose  (396, ... ) == 0x0
 02595   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02596   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02597   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1240116, ... ) }, 1240116, ... ) == 0x0
 02598   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240124,  (0x80100080, {24, 0, 0x40, 0, 1240124, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 396, {status=0x0, info=1}, ) == 0x0
 02599   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02600   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02601   468   NtQueryInformationFile  (396, 1240140, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02602   468   NtReadFile  (396, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 02603   468   NtClose  (396, ... ) == 0x0
 02604   468   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Environment"}, ... 396, ) }, ... 396, ) == 0x0
 02605   468   NtEnumerateValueKey  (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02606   468   NtEnumerateValueKey  (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02607   468   NtEnumerateValueKey  (396, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02608   468   NtEnumerateValueKey  (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (396, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02609   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02610   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02611   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238856, ... ) }, 1238856, ... ) == 0x0
 02612   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 404, {status=0x0, info=1}, ) }, 3, 16417, ... 404, {status=0x0, info=1}, ) == 0x0
 02613   468   NtQueryDirectoryFile  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1,  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02614   468   NtClose  (404, ... ) == 0x0
 02615   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 404, {status=0x0, info=1}, ) }, 3, 16417, ... 404, {status=0x0, info=1}, ) == 0x0
 02616   468   NtQueryDirectoryFile  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1,  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02617   468   NtClose  (404, ... ) == 0x0
 02618   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02619   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02620   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02621   468   NtEnumerateValueKey  (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (396, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 02622   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02623   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02624   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238856, ... ) }, 1238856, ... ) == 0x0
 02625   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 404, {status=0x0, info=1}, ) }, 3, 16417, ... 404, {status=0x0, info=1}, ) == 0x0
 02626   468   NtQueryDirectoryFile  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1,  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 02627   468   NtClose  (404, ... ) == 0x0
 02628   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 404, {status=0x0, info=1}, ) }, 3, 16417, ... 404, {status=0x0, info=1}, ) == 0x0
 02629   468   NtQueryDirectoryFile  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1,  (404, 0, 0, 0, 1238216, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 02630   468   NtClose  (404, ... ) == 0x0
 02631   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02632   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 02633   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02634   468   NtEnumerateValueKey  (396, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02635   468   NtClose  (396, ... ) == 0x0
 02636   468   NtOpenKey  (0x20019, {24, 392, 0x40, 0, 0,  (0x20019, {24, 392, 0x40, 0, 0, "Volatile Environment"}, ... 396, ) }, ... 396, ) == 0x0
 02637   468   NtEnumerateValueKey  (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02638   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02639   468   NtEnumerateValueKey  (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02640   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02641   468   NtEnumerateValueKey  (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02642   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02643   468   NtEnumerateValueKey  (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02644   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02645   468   NtEnumerateValueKey  (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02646   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02647   468   NtEnumerateValueKey  (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02648   468   NtQueryVirtualMemory  (-1, 0x8d0000, Basic, 28, ... {BaseAddress=0x8d0000,AllocationBase=0x8d0000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02649   468   NtEnumerateValueKey  (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02650   468   NtEnumerateValueKey  (396, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02651   468   NtEnumerateValueKey  (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (396, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 02652   468   NtEnumerateValueKey  (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (396, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 02653   468   NtEnumerateValueKey  (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (396, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 02654   468   NtEnumerateValueKey  (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (396, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 02655   468   NtEnumerateValueKey  (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (396, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 02656   468   NtEnumerateValueKey  (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (396, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 02657   468   NtEnumerateValueKey  (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (396, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 02658   468   NtEnumerateValueKey  (396, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 02659   468   NtClose  (396, ... ) == 0x0
 02660   468   NtClose  (392, ... ) == 0x0
 02661   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 4096, ) == 0x0
 02662   468   NtClose  (400, ... ) == 0x0
 02663   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240780, ... ) }, 1240780, ... ) == 0x0
 02664   468   NtQueryInformationToken  (376, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02665   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 400, ) }, ... 400, ) == 0x0
 02666   468   NtCreateKey  (0x2000000, {24, 400, 0x40, 0, 0,  (0x2000000, {24, 400, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 392, 2, ) }, 0, 0x0, 0, ... 392, 2, ) == 0x0
 02667   468   NtClose  (400, ... ) == 0x0
 02668   468   NtSetValueKey  (392,  (392, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (392, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 02669   468   NtClose  (392, ... ) == 0x0
 02670   468   NtClose  (376, ... ) == 0x0
 02671   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 02672   468   NtCreateKey  (0x2, {24, 380, 0x40, 0, 0,  (0x2, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 376, 2, ) }, 0, "", 0, ... 376, 2, ) == 0x0
 02673   468   NtSetValueKey  (376,  (376, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (376, "MigrateProxy", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02674   468   NtClose  (376, ... ) == 0x0
 02675   468   NtOpenKey  (0x20019, {24, 380, 0x40, 0, 0,  (0x20019, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, ... 376, ) }, ... 376, ) == 0x0
 02676   468   NtQueryValueKey  (376,  (376, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (376, "ProxyEnable", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02677   468   NtQueryValueKey  (376,  (376, "ProxyServer", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02678   468   NtQueryValueKey  (376,  (376, "ProxyOverride", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02679   468   NtQueryValueKey  (376,  (376, "AutoConfigURL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02680   468   NtClose  (376, ... ) == 0x0
 02681   468   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02682   468   NtCreateKey  (0x1, {24, 380, 0x40, 0, 0,  (0x1, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 376, 2, ) }, 0, "", 0, ... 376, 2, ) == 0x0
 02683   468   NtQueryValueKey  (376,  (376, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (376, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02684   468   NtQueryValueKey  (376,  (376, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (376, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02685   468   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02686   468   NtClose  (376, ... ) == 0x0
 02687   468   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02688   468   NtCreateKey  (0x1, {24, 380, 0x40, 0, 0,  (0x1, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 376, 2, ) }, 0, "", 0, ... 376, 2, ) == 0x0
 02689   468   NtQueryValueKey  (376,  (376, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (376, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02690   468   NtQueryValueKey  (376,  (376, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (376, "DefaultConnectionSettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02691   468   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02692   468   NtClose  (376, ... ) == 0x0
 02693   468   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 02694   468   NtClearEvent  (132, ... ) == 0x0
 02695   468   NtSetEvent  (132, ... 0x0, ) == 0x0
 02696   468   NtCreateKey  (0x20006, {24, 380, 0x40, 0, 0,  (0x20006, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 376, 2, ) }, 0, "", 0, ... 376, 2, ) == 0x0
 02697   468   NtSetValueKey  (376,  (376, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (376, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02698   468   NtDeleteValueKey  (376,  (376, "ProxyServer", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02699   468   NtDeleteValueKey  (376,  (376, "ProxyOverride", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02700   468   NtDeleteValueKey  (376,  (376, "AutoConfigURL", ... ) , ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02701   468   NtClose  (376, ... ) == 0x0
 02702   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT"}, ... 376, ) }, ... 376, ) == 0x0
 02703   468   NtCreateKey  (0x2, {24, 376, 0x40, 0, 0,  (0x2, {24, 376, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings"}, 0, "", 0, ... 392, 2, ) }, 0, "", 0, ... 392, 2, ) == 0x0
 02704   468   NtSetValueKey  (392,  (392, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 0, 4,  (392, "ProxyEnable", 0, 4, "\0\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02705   468   NtClose  (392, ... ) == 0x0
 02706   468   NtWaitForSingleObject  (152, 0, 0x0, ... ) == 0x0
 02707   468   NtCreateKey  (0x1, {24, 380, 0x40, 0, 0,  (0x1, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 392, 2, ) }, 0, "", 0, ... 392, 2, ) == 0x0
 02708   468   NtQueryValueKey  (392,  (392, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (392, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02709   468   NtQueryValueKey  (392,  (392, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (392, "SavedLegacySettings", Partial, 144, ... TitleIdx=0, Type=3, Data="<\0\0\0\26\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0"}, 68, ) }, 68, ) == 0x0
 02710   468   NtCreateKey  (0x2, {24, 380, 0x40, 0, 0,  (0x2, {24, 380, 0x40, 0, 0, "Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections"}, 0, "", 0, ... 400, 2, ) }, 0, "", 0, ... 400, 2, ) == 0x0
 02711   468   NtReleaseMutant  (152, ... 0x0, ) == 0x0
 02712   468   NtClose  (392, ... ) == 0x0
 02713   468   NtSetValueKey  (400,  (400, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 0, 3,  (400, "SavedLegacySettings", 0, 3, "<\0\0\0\27\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\0\0\0\00f\32\27\250\231\307\1\1\0\0\0\300\250|\200\0\0\0\0\0\0\0\0", 56, ... , 56, ...
 02714   468   NtSetInformationFile  (-2147482700, -136149196, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02715   468   NtSetInformationFile  (-2147482700, -136149296, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 02713   468   NtSetValueKey  ... ) == 0x0
 02716   468   NtClose  (400, ... ) == 0x0
 02717   468   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 02718   468   NtClearEvent  (156, ... ) == 0x0
 02719   468   NtClearEvent  (132, ... ) == 0x0
 02720   468   NtSetEvent  (132, ... 0x0, ) == 0x0
 02721   468   NtSetEvent  (156, ... 0x0, ) == 0x0
 02722   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02723   468   NtQueryInformationFile  (92, 1243632, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02724   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02725   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02726   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters\RPA"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02727   468   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 02728   468   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 02729   468   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 02730   468   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02731   468   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02732   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02733   468   NtQueryInformationFile  (92, 1243828, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02734   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02735   468   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 02736   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "urlmon.dll"}, ... 400, ) }, ... 400, ) == 0x0
 02737   468   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x760f0000), 0x0, 491520, ) == 0x0
 02738   468   NtClose  (400, ... ) == 0x0
 02739   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "VERSION.dll"}, ... 400, ) }, ... 400, ) == 0x0
 02740   468   NtMapViewOfSection  (400, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c00000), 0x0, 28672, ) == 0x0
 02741   468   NtClose  (400, ... ) == 0x0
 02742   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02743   468   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 9240576, 65536, ) == 0x0
 02744   468   NtAllocateVirtualMemory  (-1, 9240576, 0, 4096, 4096, 4, ... 9240576, 4096, ) == 0x0
 02745   468   NtAllocateVirtualMemory  (-1, 9244672, 0, 8192, 4096, 4, ... 9244672, 8192, ) == 0x0
 02746   468   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "ZonesCounterMutex"}, 0, ... 400, ) }, 0, ... 400, ) == 0x0
 02747   468   NtCreateMutant  (0x1f0001, {24, 56, 0x80, 0, 0,  (0x1f0001, {24, 56, 0x80, 0, 0, "ZonesCacheCounterMutex"}, 0, ... 392, ) }, 0, ... 392, ) == 0x0
 02748   468   NtQueryDefaultUILanguage  (1239852, ...
 02749   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02750   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... -2147482032, ) == 0x0
 02751   468   NtQueryInformationToken  (-2147482032, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02752   468   NtClose  (-2147482032, ... ) == 0x0
 02753   468   NtOpenKey  (0x2000000, {24, 0, 0x640, 0, 0,  (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003"}, ... -2147482032, ) }, ... -2147482032, ) == 0x0
 02754   468   NtOpenKey  (0x80000000, {24, 0, 0x240, 0, 0,  (0x80000000, {24, 0, 0x240, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02755   468   NtOpenKey  (0x80000000, {24, -2147482032, 0x640, 0, 0,  (0x80000000, {24, -2147482032, 0x640, 0, 0, "Control Panel\Desktop"}, ... -2147482044, ) }, ... -2147482044, ) == 0x0
 02756   468   NtQueryValueKey  (-2147482044,  (-2147482044, "MultiUILanguageId", Partial, 256, ... ) , Partial, 256, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02757   468   NtClose  (-2147482044, ... ) == 0x0
 02758   468   NtClose  (-2147482032, ... ) == 0x0
 02748   468   NtQueryDefaultUILanguage  ... ) == 0x0
 02759   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Nls\MUILanguages"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02760   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll"}, 1, 96, ... 396, {status=0x0, info=1}, ) }, 1, 96, ... 396, {status=0x0, info=1}, ) == 0x0
 02761   468   NtCreateSection  (0x4, 0x0, 0x0, 2, 134217728, 396, ... 404, ) == 0x0
 02762   468   NtMapViewOfSection  (404, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 2, ... (0x950000), 0x0, 454656, ) == 0x0
 02763   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02764   468   NtQueryDefaultLocale  (1, 1237888, ... ) == 0x0
 02765   468   NtOpenFile  (0x1200a9, {24, 0, 0x40, 0, 0,  (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\urlmon.dll.123.Config"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02766   468   NtRequestWaitReplyPort  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\214\1\0\0\377\377\377\377\0\0\0\0\240\302\232\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1591, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\214\1\0\0\377\377\377\377\0\0\0\0\240\302\232\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ... {128, 156, reply, 0, 464, 468, 1591, 0}  (24, {128, 156, new_msg, 0, 1238744, 1, 96, 0} "\210\6\32\1\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\214\1\0\0\377\377\377\377\0\0\0\0\240\302\232\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" ... {128, 156, reply, 0, 464, 468, 1591, 0} "(\350\26\0\33\0\1\0\0\0\0\0\1\352\22\0\1\0\0\0\0\0\11\4\1\1\1\0<\0@\0\250\6\32\1\214\1\0\0\377\377\377\377\0\0\0\0\240\302\232\0\0\0\0\0\303\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0(\0,\0\350\6\32\1\0\0\0\0\0\0\0\0\330\355\22\0\0\0\0\0" )  ) == 0x0
 02767   468   NtClose  (396, ... ) == 0x0
 02768   468   NtClose  (404, ... ) == 0x0
 02769   468   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 02770   468   NtUnmapViewOfSection  (-1, 0x12edd8, ... ) == STATUS_NOT_MAPPED_VIEW
 02771   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02772   468   NtOpenKey  (0x8, {24, 0, 0x40, 0, 0,  (0x8, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02773   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02774   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02775   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local\"}, 1236428, ... ) }, 1236428, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02776   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02777   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02778   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02779   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 1237020, ... ) }, 1237020, ... ) == 0x0
 02780   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a"}, 3, 33, ... 404, {status=0x0, info=1}, ) }, 3, 33, ... 404, {status=0x0, info=1}, ) == 0x0
 02781   468   NtQueryDebugFilterState  (53, 2, ... ) == 0x0
 02782   468   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 02783   468   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 02784   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02785   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02786   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 396, ) == 0x0
 02787   468   NtQueryInformationToken  (396, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02788   468   NtClose  (396, ... ) == 0x0
 02789   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes"}, ... 396, ) }, ... 396, ) == 0x0
 02790   468   NtSetInformationObject  (398, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0
 02791   468   NtQueryKey  (398, Name, 384, ... {Name= (398, Name, 384, ... {Name="\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_CLASSES9"}, 138, ) }, 138, ) == 0x0
 02792   468   NtOpenKey  (0x2000000, {24, 398, 0x40, 0, 0,  (0x2000000, {24, 398, 0x40, 0, 0, "PROTOCOLS\Name-Space Handler\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02793   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Classes\PROTOCOLS\Name-Space Handler"}, ... 408, ) }, ... 408, ) == 0x0
 02794   468   NtQueryKey  (410, Name, 392, ... {Name= (410, Name, 392, ... {Name="\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space HandlerS"}, 130, ) }, 130, ) == 0x0
 02795   468   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 02796   468   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 412, ) == 0x0
 02797   468   NtQueryInformationToken  (412, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 02798   468   NtClose  (412, ... ) == 0x0
 02799   468   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1078081533-484763869-839522115-1003_Classes\PROTOCOLS\Name-Space Handler"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02800   468   NtEnumerateKey  (410, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name= (410, 0, Node, 288, ... {LastWrite={0x5d796f8c,0x1c73999}, TitleIdx=0, Name="mk", Class=""}, 28, ) , Class=""}, 28, ) == 0x0
 02801   468   NtEnumerateKey  (410, 1, Node, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02802   468   NtClose  (410, ... ) == 0x0
 02803   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02804   468   NtOpenKey  (0x1, {24, 12, 0x40, 0, 0,  (0x1, {24, 12, 0x40, 0, 0, "SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02805   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 408, ) }, ... 408, ) == 0x0
 02806   468   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "Ranges\"}, ... 412, ) }, ... 412, ) == 0x0
 02807   468   NtQueryKey  (412, 4, 176, ... {key info, class 4, size 40}, 40, ) == 0x0
 02808   468   NtClose  (412, ... ) == 0x0
 02809   468   NtRequestWaitReplyPort  (84, {28, 52, new_msg, 0, 0, 0, 0, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\330`\25\0" ... {176, 200, reply, 0, 464, 468, 1592, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ... {176, 200, reply, 0, 464, 468, 1592, 0}  (84, {28, 52, new_msg, 0, 0, 0, 0, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\13\30\10\2\330`\25\0" ... {176, 200, reply, 0, 464, 468, 1592, 0} "\37\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\1\0\20\0\10\2\220\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0" )  ) == 0x0
 02810   468   NtCreateSection  (0xf0007, {24, 56, 0x80, 0, 0,  (0xf0007, {24, 56, 0x80, 0, 0, "UrlZonesSM_SRI-user"}, {8, 0}, 4, 134217728, 0, ... 412, ) }, {8, 0}, 4, 134217728, 0, ... 412, ) == 0x0
 02811   468   NtMapViewOfSection  (412, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 4, ... (0x950000), {0, 0}, 4096, ) == 0x0
 02812   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\Setup"}, ... 416, ) }, ... 416, ) == 0x0
 02813   468   NtQueryValueKey  (416,  (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 02814   468   NtClose  (416, ... ) == 0x0
 02815   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 416, ) }, ... 416, ) == 0x0
 02816   468   NtOpenKey  (0x20019, {24, 416, 0x40, 0, 0,  (0x20019, {24, 416, 0x40, 0, 0, "0"}, ... 420, ) }, ... 420, ) == 0x0
 02817   468   NtClose  (420, ... ) == 0x0
 02818   468   NtOpenKey  (0x20019, {24, 416, 0x40, 0, 0,  (0x20019, {24, 416, 0x40, 0, 0, "1"}, ... 420, ) }, ... 420, ) == 0x0
 02819   468   NtClose  (420, ... ) == 0x0
 02820   468   NtOpenKey  (0x20019, {24, 416, 0x40, 0, 0,  (0x20019, {24, 416, 0x40, 0, 0, "2"}, ... 420, ) }, ... 420, ) == 0x0
 02821   468   NtClose  (420, ... ) == 0x0
 02822   468   NtOpenKey  (0x20019, {24, 416, 0x40, 0, 0,  (0x20019, {24, 416, 0x40, 0, 0, "3"}, ... 420, ) }, ... 420, ) == 0x0
 02823   468   NtClose  (420, ... ) == 0x0
 02824   468   NtOpenKey  (0x20019, {24, 416, 0x40, 0, 0,  (0x20019, {24, 416, 0x40, 0, 0, "4"}, ... 420, ) }, ... 420, ) == 0x0
 02825   468   NtClose  (420, ... ) == 0x0
 02826   468   NtClose  (416, ... ) == 0x0
 02827   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\"}, ... 416, ) }, ... 416, ) == 0x0
 02828   468   NtEnumerateKey  (416, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name= (416, 0, Basic, 288, ... {LastWrite={0x8db90da8,0x1c7399c}, TitleIdx=0, Name="0"}, 18, ) }, 18, ) == 0x0
 02829   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"}, ... 420, ) }, ... 420, ) == 0x0
 02830   468   NtQueryValueKey  (420,  (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="!\0\0\0"}, 16, ) }, 16, ) == 0x0
 02831   468   NtClose  (420, ... ) == 0x0
 02832   468   NtEnumerateKey  (416, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (416, 1, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="1"}, 18, ) }, 18, ) == 0x0
 02833   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"}, ... 420, ) }, ... 420, ) == 0x0
 02834   468   NtQueryValueKey  (420,  (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\333\0\0\0"}, 16, ) }, 16, ) == 0x0
 02835   468   NtWaitForSingleObject  (400, 0, 0x0, ... ) == 0x0
 02836   468   NtReleaseMutant  (400, ... 0x0, ) == 0x0
 02837   468   NtOpenKey  (0x2001f, {24, 12, 0x40, 0, 0,  (0x2001f, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"}, ... 424, ) }, ... 424, ) == 0x0
 02838   468   NtSetValueKey  (424,  (424, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (424, "ProxyBypass", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02839   468   NtSetValueKey  (424,  (424, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (424, "IntranetName", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02840   468   NtSetValueKey  (424,  (424, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 0, 4,  (424, "UNCAsIntranet", 0, 4, "\1\0\0\0", 4, ... ) , 4, ... ) == 0x0
 02841   468   NtClose  (424, ... ) == 0x0
 02842   468   NtClose  (420, ... ) == 0x0
 02843   468   NtEnumerateKey  (416, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (416, 2, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="2I"}, 18, ) }, 18, ) == 0x0
 02844   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"}, ... 420, ) }, ... 420, ) == 0x0
 02845   468   NtQueryValueKey  (420,  (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="G\0\0\0"}, 16, ) }, 16, ) == 0x0
 02846   468   NtClose  (420, ... ) == 0x0
 02847   468   NtEnumerateKey  (416, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (416, 3, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="3"}, 18, ) }, 18, ) == 0x0
 02848   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 420, ) }, ... 420, ) == 0x0
 02849   468   NtQueryValueKey  (420,  (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02850   468   NtClose  (420, ... ) == 0x0
 02851   468   NtEnumerateKey  (416, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name= (416, 4, Basic, 288, ... {LastWrite={0x8f7e0c74,0x1c7399c}, TitleIdx=0, Name="4"}, 18, ) }, 18, ) == 0x0
 02852   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4"}, ... 420, ) }, ... 420, ) == 0x0
 02853   468   NtQueryValueKey  (420,  (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (420, "Flags", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02854   468   NtClose  (420, ... ) == 0x0
 02855   468   NtEnumerateKey  (416, 5, Basic, 288, ... ) == STATUS_NO_MORE_ENTRIES
 02856   468   NtClose  (416, ... ) == 0x0
 02857   468   NtWaitForSingleObject  (400, 0, 0x0, ... ) == 0x0
 02858   468   NtReleaseMutant  (400, ... 0x0, ) == 0x0
 02859   468   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "Domains\85.114.140.107"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02860   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\85.114.140.107"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02861   468   NtQueryValueKey  (408,  (408, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (408, "ProxyBypass", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02862   468   NtClearEvent  (132, ... ) == 0x0
 02863   468   NtSetEvent  (132, ... 0x0, ) == 0x0
 02864   468   NtOpenKey  (0x20019, {24, 408, 0x40, 0, 0,  (0x20019, {24, 408, 0x40, 0, 0, "ProtocolDefaults\"}, ... 416, ) }, ... 416, ) == 0x0
 02865   468   NtQueryValueKey  (416,  (416, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "http", Partial, 144, ... TitleIdx=0, Type=4, Data="\3\0\0\0"}, 16, ) }, 16, ) == 0x0
 02866   468   NtClose  (416, ... ) == 0x0
 02867   468   NtWaitForSingleObject  (400, 0, 0x0, ... ) == 0x0
 02868   468   NtReleaseMutant  (400, ... 0x0, ) == 0x0
 02869   468   NtWaitForSingleObject  (400, 0, 0x0, ... ) == 0x0
 02870   468   NtReleaseMutant  (400, ... 0x0, ) == 0x0
 02871   468   NtWaitForSingleObject  (392, 0, 0x0, ... ) == 0x0
 02872   468   NtReleaseMutant  (392, ... 0x0, ) == 0x0
 02873   468   NtOpenKey  (0x20019, {24, 12, 0x40, 0, 0,  (0x20019, {24, 12, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"}, ... 416, ) }, ... 416, ) == 0x0
 02874   468   NtQueryValueKey  (416,  (416, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "1A10", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02875   468   NtWaitForSingleObject  (392, 0, 0x0, ... ) == 0x0
 02876   468   NtReleaseMutant  (392, ... 0x0, ) == 0x0
 02877   468   NtWaitForSingleObject  (392, 0, 0x0, ... ) == 0x0
 02878   468   NtReleaseMutant  (392, ... 0x0, ) == 0x0
 02879   468   NtClose  (416, ... ) == 0x0
 02880   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02881   468   NtQueryInformationFile  (92, 1244080, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02882   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02883   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 02884   468   NtQueryInformationFile  (92, 1241696, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02885   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 02886   468   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 02887   468   NtQueryInformationFile  (116, 1243660, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02888   468   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 02889   468   NtWaitForSingleObject  (104, 0, 0x0, ... ) == 0x0
 02890   468   NtQueryInformationFile  (116, 1243620, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 02891   468   NtReleaseMutant  (104, ... 0x0, ) == 0x0
 02892   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 02893   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 02894   468   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1240536, 112, ... 420, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1240536, 112, ... 420, 0x0, 0x0, 0x0, 112, ) == 0x0
 02895   468   NtRequestWaitReplyPort  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850}  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850} "\0\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w@\353\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\00\351\25\0\0\0\0\0\350\352\25\0P\351\25\0\300\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350\352\25\0\260\2\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 464, 468, 1594, 0} "\7\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\00\351\25\0\0\0\0\0\350\352\25\0P\351\25\0\300\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350\352\25\0\260\2\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ... {128, 152, reply, 0, 464, 468, 1594, 0}  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850} "\0\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w@\353\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\00\351\25\0\0\0\0\0\350\352\25\0P\351\25\0\300\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350\352\25\0\260\2\24\0\0\0\0\0\0\0\0\0\0\0\0\0" ... {128, 152, reply, 0, 464, 468, 1594, 0} "\7\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\6\0\0\0\0\00\351\25\0\0\0\0\0\350\352\25\0P\351\25\0\300\352\25\0\0\0\0\0\0\0\0\0\0\0\0\0\350\352\25\0\260\2\24\0\0\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02896   468   NtRequestWaitReplyPort  (420, {64, 88, new_msg, 0, 44, 3, 20, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 464, 468, 1595, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 468, 1595, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 464, 468, 1595, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 02897   468   NtClose  (416, ... ) == 0x0
 02898   468   NtClose  (420, ... ) == 0x0
 02899   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) , 0, ... 420, 2, ) == 0x0
 02900   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 416, ) }, ... 416, ) == 0x0
 02901   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02902   468   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02903   468   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02904   468   NtClose  (420, ... ) == 0x0
 02905   468   NtClose  (416, ... ) == 0x0
 02906   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) , 0, ... 416, 2, ) == 0x0
 02907   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 420, ) }, ... 420, ) == 0x0
 02908   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02909   468   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02910   468   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 02911   468   NtClose  (416, ... ) == 0x0
 02912   468   NtClose  (420, ... ) == 0x0
 02913   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02914   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 02915   468   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02916   468   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 02917   468   NtClose  (420, ... ) == 0x0
 02918   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 02919   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02920   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02921   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 420, ) == 0x0
 02922   468   NtDeviceIoControlFile  (308, 420, 0x0, 0x0, 0x120003,  (308, 420, 0x0, 0x0, 0x120003, "\1\3\0\0\0\0\0\0\0\2\0\0\0\1\0\0\4\1\0\0\1\0\0\0Ur\214k\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0n\0\0\0Pw-", 51, 52, ... ) , 51, 52, ... ) == STATUS_HOST_UNREACHABLE
 02923   468   NtClose  (420, ... ) == 0x0
 02924   468   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 02925   468   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 02926   468   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 02927   468   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02928   468   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 02929   468   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 02930   468   NtCreateKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 02931   468   NtClose  (420, ... ) == 0x0
 02932   468   NtQueryValueKey  (416,  (416, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 02933   468   NtClose  (416, ... ) == 0x0
 02934   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02935   468   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02936   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 02937   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 02938   468   NtClose  (416, ... ) == 0x0
 02939   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02940   468   NtQueryDirectoryFile  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1,  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02941   468   NtClose  (416, ... ) == 0x0
 02942   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 02943   468   NtQueryDirectoryFile  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1,  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 02944   468   NtClose  (416, ... ) == 0x0
 02945   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 02946   468   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 02947   468   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 02948   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 02949   468   NtCreateKey  (0x2000000, {24, 420, 0x40, 0, 0,  (0x2000000, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 424, 2, ) }, 0, 0x0, 0, ... 424, 2, ) == 0x0
 02950   468   NtClose  (420, ... ) == 0x0
 02951   468   NtQueryValueKey  (424,  (424, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (424, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 02952   468   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9830400, 4096, ) == 0x0
 02953   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02954   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02955   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02956   468   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 02957   468   NtClose  (420, ... ) == 0x0
 02958   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 02959   468   NtQueryValueKey  (420,  (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 02960   468   NtClose  (420, ... ) == 0x0
 02961   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02962   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 420, ) }, ... 420, ) == 0x0
 02963   468   NtQueryKey  (420, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 02964   468   NtQuerySecurityObject  (420, 7, 0, ... ) == STATUS_ACCESS_DENIED
 02965   468   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02966   468   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02967   468   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02968   468   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02969   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02970   468   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02971   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02972   468   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02973   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02974   468   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02975   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02976   468   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02977   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02978   468   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02979   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02980   468   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02981   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02982   468   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02983   468   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02984   468   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 02985   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02986   468   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 02987   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02988   468   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 02989   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 02990   468   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 02991   468   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 02992   468   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 02993   468   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 02994   468   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 02995   468   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 02996   468   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 02997   468   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 02998   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 02999   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03000   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238728, ... ) }, 1238728, ... ) == 0x0
 03001   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03002   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03003   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03004   468   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03005   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03006   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03007   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238728, ... ) }, 1238728, ... ) == 0x0
 03008   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03009   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03010   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03011   468   NtClose  (420, ... ) == 0x0
 03012   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 03013   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "ActiveComputerName"}, ... 428, ) }, ... 428, ) == 0x0
 03014   468   NtQueryValueKey  (428,  (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (428, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03015   468   NtClose  (428, ... ) == 0x0
 03016   468   NtClose  (420, ... ) == 0x0
 03017   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03018   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03019   468   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03020   468   NtClose  (420, ... ) == 0x0
 03021   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03022   468   NtQueryValueKey  (420,  (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03023   468   NtClose  (420, ... ) == 0x0
 03024   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03025   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 420, ) }, ... 420, ) == 0x0
 03026   468   NtQueryValueKey  (420,  (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03027   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03028   468   NtQueryValueKey  (420,  (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03029   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03030   468   NtClose  (420, ... ) == 0x0
 03031   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03032   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 03033   468   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03034   468   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03035   468   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 1240112, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03036   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03037   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03038   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 428, ) == 0x0
 03039   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03040   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03041   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238316,  (0xc0100080, {24, 0, 0x40, 0, 1238316, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03042   468   NtSetInformationFile  (432, 1238372, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03043   468   NtSetInformationFile  (432, 1238364, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03044   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03045   468   NtWriteFile  (432, 197, 0, 0,  (432, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03046   468   NtReadFile  (432, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20j \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03047   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20j \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20j \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03048   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\30\354\22\0\1\0\0\0\200\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\30\354\22\0\1\0\0\0\200\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03049   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\0B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03050   468   NtClose  (428, ... ) == 0x0
 03051   468   NtClose  (432, ... ) == 0x0
 03052   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03053   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03054   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03055   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03056   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238312,  (0xc0100080, {24, 0, 0x40, 0, 1238312, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03057   468   NtSetInformationFile  (428, 1238368, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03058   468   NtSetInformationFile  (428, 1238360, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03059   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03060   468   NtWriteFile  (428, 197, 0, 0,  (428, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03061   468   NtReadFile  (428, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (428, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03062   468   NtFsControlFile  (428, 197, 0x0, 0x0, 0x11c017,  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20k \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03063   468   NtFsControlFile  (428, 197, 0x0, 0x0, 0x11c017,  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\354\22\0\1\0\0\0\200\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\354\22\0\1\0\0\0\200\353\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03064   468   NtFsControlFile  (428, 197, 0x0, 0x0, 0x11c017,  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (428, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\1B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\320\22\25\0\1\0\0\0\334\22\25\0 \0\0\0\1\0\0\0\16\0\20\0\350\22\25\0\370\22\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03065   468   NtClose  (432, ... ) == 0x0
 03066   468   NtClose  (428, ... ) == 0x0
 03067   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03068   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03069   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03070   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03071   468   NtQueryValueKey  (428,  (428, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03072   468   NtClose  (428, ... ) == 0x0
 03073   468   NtCreateKey  (0x2001f, {24, 420, 0x40, 0, 0,  (0x2001f, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03074   468   NtQueryValueKey  (428,  (428, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (428, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03075   468   NtClose  (428, ... ) == 0x0
 03076   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03077   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03078   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1240016, ... ) }, 1240016, ... ) == 0x0
 03079   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240024,  (0x80100080, {24, 0, 0x40, 0, 1240024, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 428, {status=0x0, info=1}, ) == 0x0
 03080   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03081   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03082   468   NtQueryInformationFile  (428, 1240040, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03083   468   NtReadFile  (428, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03084   468   NtClose  (428, ... ) == 0x0
 03085   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Environment"}, ... 428, ) }, ... 428, ) == 0x0
 03086   468   NtAllocateVirtualMemory  (-1, 1441792, 0, 12288, 4096, 4, ... 1441792, 12288, ) == 0x0
 03087   468   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03088   468   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03089   468   NtEnumerateValueKey  (428, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03090   468   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03091   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03092   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03093   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238756, ... ) }, 1238756, ... ) == 0x0
 03094   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03095   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03096   468   NtClose  (432, ... ) == 0x0
 03097   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03098   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03099   468   NtClose  (432, ... ) == 0x0
 03100   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03101   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03102   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03103   468   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03104   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03105   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03106   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238756, ... ) }, 1238756, ... ) == 0x0
 03107   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03108   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03109   468   NtClose  (432, ... ) == 0x0
 03110   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03111   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03112   468   NtClose  (432, ... ) == 0x0
 03113   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03114   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03115   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03116   468   NtEnumerateValueKey  (428, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03117   468   NtClose  (428, ... ) == 0x0
 03118   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Volatile Environment"}, ... 428, ) }, ... 428, ) == 0x0
 03119   468   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03120   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03121   468   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03122   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03123   468   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03124   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03125   468   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03126   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03127   468   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03128   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03129   468   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03130   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03131   468   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03132   468   NtEnumerateValueKey  (428, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03133   468   NtEnumerateValueKey  (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (428, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03134   468   NtEnumerateValueKey  (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (428, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03135   468   NtEnumerateValueKey  (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (428, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03136   468   NtEnumerateValueKey  (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (428, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03137   468   NtEnumerateValueKey  (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (428, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03138   468   NtEnumerateValueKey  (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (428, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03139   468   NtEnumerateValueKey  (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (428, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03140   468   NtEnumerateValueKey  (428, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03141   468   NtClose  (428, ... ) == 0x0
 03142   468   NtClose  (420, ... ) == 0x0
 03143   468   NtFreeVirtualMemory  (-1, (0x960000), 0, 32768, ... (0x960000), 4096, ) == 0x0
 03144   468   NtClose  (424, ... ) == 0x0
 03145   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 03146   468   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03147   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 424, ) }, ... 424, ) == 0x0
 03148   468   NtCreateKey  (0x2000000, {24, 424, 0x40, 0, 0,  (0x2000000, {24, 424, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03149   468   NtClose  (424, ... ) == 0x0
 03150   468   NtSetValueKey  (420,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03151   468   NtClose  (420, ... ) == 0x0
 03152   468   NtClose  (416, ... ) == 0x0
 03153   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03154   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 03155   468   NtQueryInformationFile  (92, 1241728, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03156   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 03157   468   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 03158   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 03159   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 03160   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 1240480, ... ) }, 1240480, ... ) == 0x0
 03161   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 1240124, ... ) }, 1240124, ... ) == 0x0
 03162   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... 416, ) }, ... 416, ) == 0x0
 03163   468   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 03164   468   NtQueryValueKey  (416,  (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) , Partial, 144, ... TitleIdx=0, Type=7, Data= (416, "Transports", Partial, 144, ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0\0\0"}, 42, ) }, 42, ) == 0x0
 03165   468   NtClose  (416, ... ) == 0x0
 03166   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 416, ) }, ... 416, ) == 0x0
 03167   468   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03168   468   NtQueryValueKey  (416,  (416, "Mapping", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 03169   468   NtQueryValueKey  (416,  (416, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) , Partial, 152, ... TitleIdx=0, Type=3, Data= (416, "Mapping", Partial, 152, ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 03170   468   NtClose  (416, ... ) == 0x0
 03171   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... 416, ) }, ... 416, ) == 0x0
 03172   468   NtQueryValueKey  (416,  (416, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "MinSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03173   468   NtQueryValueKey  (416,  (416, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "MaxSockaddrLength", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 03174   468   NtQueryValueKey  (416,  (416, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (416, "UseDelayedAcceptance", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 03175   468   NtQueryValueKey  (416,  (416, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (416, "HelperDllName", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 03176   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 1241044, ... ) }, 1241044, ... ) == 0x0
 03177   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 420, {status=0x0, info=1}, ) }, 5, 96, ... 420, {status=0x0, info=1}, ) == 0x0
 03178   468   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 420, ... 424, ) == 0x0
 03179   468   NtClose  (420, ... ) == 0x0
 03180   468   NtMapViewOfSection  (424, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x960000), 0x0, 20480, ) == 0x0
 03181   468   NtClose  (424, ... ) == 0x0
 03182   468   NtUnmapViewOfSection  (-1, 0x960000, ... ) == 0x0
 03183   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 1241360, ... ) }, 1241360, ... ) == 0x0
 03184   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... 424, {status=0x0, info=1}, ) }, 5, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 03185   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 424, ... 420, ) == 0x0
 03186   468   NtQuerySection  (420, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03187   468   NtClose  (424, ... ) == 0x0
 03188   468   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 03189   468   NtClose  (420, ... ) == 0x0
 03190   468   NtClose  (416, ... ) == 0x0
 03191   468   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 1243560, 67, ... 416, {status=0x0, info=0}, ) }, 0x0, 0, 3, 3, 0, 1243560, 67, ... 416, {status=0x0, info=0}, ) == 0x0
 03192   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x1207b,  (416, 180, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\0\0\00\351\25\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\370\346\10\201", ) , 16, 16, ... {status=0x0, info=16},  (416, 180, 0x0, 0x0, 0x1207b, "\7\0\0\0\0\0\0\00\351\25\0\17\346\367w", 16, 16, ... {status=0x0, info=16}, "\7\0\0\0B\0\0\0\0 \0\0\370\346\10\201", ) , ) == 0x0
 03193   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x1207b,  (416, 180, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\370\346\10\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\370\346\10\201", ) , 16, 16, ... {status=0x0, info=16},  (416, 180, 0x0, 0x0, 0x1207b, "\6\0\0\0B\0\0\0\0 \0\0\370\346\10\201", 16, 16, ... {status=0x0, info=16}, "\6\0\0\0B\0\0\0\0 \0\0\370\346\10\201", ) , ) == 0x0
 03194   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12047,  (416, 180, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\00\351\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... {status=0x0, info=0}, "", ) , 248, 16, ... {status=0x0, info=0}, "", ) == 0x0
 03195   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 03196   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12003,  (416, 180, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=420}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , 26, 26, ... {status=0x0, info=420},  (416, 180, 0x0, 0x0, 0x12003, "\2\0\0\0\1\0\0\0\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... {status=0x0, info=420}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03197   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12047,  (416, 180, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\0\0\0\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... {status=0x0, info=0}, 0x0, ) , 248, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 03198   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26},  (416, 180, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\4\13\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03199   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12007,  (416, 180, 0x0, 0x0, 0x12007, "\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\16\0\2\0\0PUr\214k\0\0\0\0\0\0\0\0", 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) , 34, 0, ... {status=0xc000023d, info=0}, 0x0, ) == 0x103
 03200   468   NtWaitForSingleObject  (180, 1, {-5000000, -1}, ... ) == 0x0
 03201   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12037,  (416, 180, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (416, 180, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03202   468   NtOpenKey  (0x2000000, {24, 32, 0x40, 0, 0,  (0x2000000, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 424, ) }, ... 424, ) == 0x0
 03203   468   NtQueryValueKey  (424,  (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 03204   468   NtQueryValueKey  (424,  (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 03205   468   NtQueryValueKey  (424,  (424, "AutodialDLL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03206   468   NtClose  (424, ... ) == 0x0
 03207   468   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "rasadhlp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03208   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\rasadhlp.dll"}, 1241784, ... ) }, 1241784, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03209   468   NtQueryAttributesFile  ({24, 52, 0x40, 0, 0,  ({24, 52, 0x40, 0, 0, "rasadhlp.dll"}, 1241784, ... ) }, 1241784, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03210   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 1241784, ... ) }, 1241784, ... ) == 0x0
 03211   468   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\rasadhlp.dll"}, 5, 96, ... 424, {status=0x0, info=1}, ) }, 5, 96, ... 424, {status=0x0, info=1}, ) == 0x0
 03212   468   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 424, ... 428, ) == 0x0
 03213   468   NtQuerySection  (428, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 03214   468   NtClose  (424, ... ) == 0x0
 03215   468   NtMapViewOfSection  (428, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76fc0000), 0x0, 20480, ) == 0x0
 03216   468   NtClose  (428, ... ) == 0x0
 03217   468   NtCreateFile  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Device\RasAcd"}, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) }, 0x0, 128, 3, 3, 0, 0, 0, ... 428, {status=0x0, info=0}, ) == 0x0
 03218   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03219   468   NtDeviceIoControlFile  (428, 424, 0x0, 0x0, 0xf14014,  (428, 424, 0x0, 0x0, 0xf14014, "\0\0\0\0Ur\214k\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 1552, 0, ... ) , 1552, 0, ... ) == STATUS_UNSUCCESSFUL
 03220   468   NtClose  (424, ... ) == 0x0
 03221   468   NtClose  (428, ... ) == 0x0
 03222   468   NtDeviceIoControlFile  (416, 180, 0x0, 0x0, 0x12037,  (416, 180, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , 4, 8, ... {status=0x0, info=8},  (416, 180, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 03223   468   NtClose  (420, ... ) == 0x0
 03224   468   NtClose  (416, ... ) == 0x0
 03225   468   NtWaitForSingleObject  (172, 0, {0, 0}, ... ) == 0x102
 03226   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 416, ) == 0x0
 03227   468   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 1}, 0x0, 0x0, 1240536, 112, ... 420, 0x0, 0x0, 0x0, 112, ) , {12, 2, 1, 1}, 0x0, 0x0, 1240536, 112, ... 420, 0x0, 0x0, 0x0, 112, ) == 0x0
 03228   468   NtRequestWaitReplyPort  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850}  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850} "\0\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w@\353\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\270\350\25\0\340\303\25\0\0\0\0\0\330\303\25\0\0\304\25\0(\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1598, 0} "\7\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\270\350\25\0\340\303\25\0\0\0\0\0\330\303\25\0\0\304\25\0(\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ... {128, 152, reply, 0, 464, 468, 1598, 0}  (420, {128, 152, new_msg, 0, 125868, 1310720, 1240300, 2012750850} "\0\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0k\23\314w\4\0\0\0\20\344\314w@\353\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\270\350\25\0\340\303\25\0\0\0\0\0\330\303\25\0\0\304\25\0(\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" ... {128, 152, reply, 0, 464, 468, 1598, 0} "\7\363\22\0\2$\370w\370T\367w\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\20\344\314w\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\7\0\270\350\25\0\340\303\25\0\0\0\0\0\330\303\25\0\0\304\25\0(\304\25\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\1\24\0\0\0\0\0\5\0\0\0\5\0\0\0" )  ) == 0x0
 03229   468   NtRequestWaitReplyPort  (420, {64, 88, new_msg, 0, 44, 3, 20, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 464, 468, 1599, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ... {52, 76, reply, 0, 464, 468, 1599, 0}  (420, {64, 88, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\10\0\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0\3757B@\335\350\344\34C\27\122" ... {52, 76, reply, 0, 464, 468, 1599, 0} "\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200]\12\0\1\0\0\0\1\0\0\0\300\250|\201\377\377\377\0" )  ) == 0x0
 03230   468   NtClose  (416, ... ) == 0x0
 03231   468   NtClose  (420, ... ) == 0x0
 03232   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 420, 2, ) , 0, ... 420, 2, ) == 0x0
 03233   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 416, ) }, ... 416, ) == 0x0
 03234   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03235   468   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03236   468   NtQueryValueKey  (420,  (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "Hostname", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03237   468   NtClose  (420, ... ) == 0x0
 03238   468   NtClose  (416, ... ) == 0x0
 03239   468   NtCreateKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) }, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 416, 2, ) , 0, ... 416, 2, ) == 0x0
 03240   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 420, ) }, ... 420, ) == 0x0
 03241   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03242   468   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03243   468   NtQueryValueKey  (416,  (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (416, "Domain", Partial, 144, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 03244   468   NtClose  (416, ... ) == 0x0
 03245   468   NtClose  (420, ... ) == 0x0
 03246   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Services\VxD\MSTCP"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03247   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\ComputerName\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 03248   468   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03249   468   NtQueryValueKey  (420,  (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ComputerName", Partial, 144, ... TitleIdx=0, Type=1, Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 28, ) }, 28, ) == 0x0
 03250   468   NtClose  (420, ... ) == 0x0
 03251   468   NtWaitForSingleObject  (164, 0, {0, 0}, ... ) == 0x102
 03252   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03253   468   NtCreateFile  (0x20000000, {24, 0, 0x40, 0, 0,  (0x20000000, {24, 0, 0x40, 0, 0, "\Device\Tcp6"}, 0x0, 128, 3, 3, 0, 0, 0, ... ) }, 0x0, 128, 3, 3, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03254   468   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 420, ) == 0x0
 03255   468   NtDeviceIoControlFile  (308, 420, 0x0, 0x0, 0x120003,  (308, 420, 0x0, 0x0, 0x120003, "\1\3\0\0\0\0\0\0\0\2\0\0\0\1\0\0\4\1\0\0\1\0\0\0Ur\214k\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0n\0\0\0Pw-", 51, 52, ... ) , 51, 52, ... ) == STATUS_HOST_UNREACHABLE
 03256   468   NtClose  (420, ... ) == 0x0
 03257   468   NtWaitForSingleObject  (144, 0, 0x0, ... ) == 0x0
 03258   468   NtWaitForSingleObject  (148, 0, 0x0, ... ) == 0x0
 03259   468   NtReleaseMutant  (148, ... 0x0, ) == 0x0
 03260   468   NtQueryValueKey  (76,  (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "EnableAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03261   468   NtQueryValueKey  (76,  (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "NoNetAutodial", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03262   468   NtCreateKey  (0x2001d, {24, 32, 0x40, 0, 0,  (0x2001d, {24, 32, 0x40, 0, 0, "Software\Microsoft\RAS AutoDial"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03263   468   NtCreateKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Default"}, 0, 0x0, 0, ... 416, 2, ) }, 0, 0x0, 0, ... 416, 2, ) == 0x0
 03264   468   NtClose  (420, ... ) == 0x0
 03265   468   NtQueryValueKey  (416,  (416, "DefaultInternet", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 03266   468   NtClose  (416, ... ) == 0x0
 03267   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03268   468   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 03269   468   NtReleaseSemaphore  (108, 1, ... 0, ) == 0x0
 03270   468   NtWaitForSingleObject  (108, 0, {0, 0}, ... ) == 0x0
 03271   468   NtClose  (416, ... ) == 0x0
 03272   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 03273   468   NtQueryDirectoryFile  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1,  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03274   468   NtClose  (416, ... ) == 0x0
 03275   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\Ras\"}, 3, 16417, ... 416, {status=0x0, info=1}, ) }, 3, 16417, ... 416, {status=0x0, info=1}, ) == 0x0
 03276   468   NtQueryDirectoryFile  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1,  (416, 0, 0, 0, 1239656, 616, BothDirectory, 1, "<.pbk", 0, ... ) , 0, ... ) == STATUS_NO_SUCH_FILE
 03277   468   NtClose  (416, ... ) == 0x0
 03278   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03279   468   NtOpenProcessToken  (-1, 0xc, ... 416, ) == 0x0
 03280   468   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03281   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 03282   468   NtCreateKey  (0x2000000, {24, 420, 0x40, 0, 0,  (0x2000000, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"}, 0, 0x0, 0, ... 428, 2, ) }, 0, 0x0, 0, ... 428, 2, ) == 0x0
 03283   468   NtClose  (420, ... ) == 0x0
 03284   468   NtQueryValueKey  (428,  (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (428, "AppData", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 74, ) }, 74, ) == 0x0
 03285   468   NtAllocateVirtualMemory  (-1, 0, 0, 1, 4096, 4, ... 9830400, 4096, ) == 0x0
 03286   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03287   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03288   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03289   468   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03290   468   NtClose  (420, ... ) == 0x0
 03291   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03292   468   NtQueryValueKey  (420,  (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "AllUsersProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0"}, 32, ) }, 32, ) == 0x0
 03293   468   NtClose  (420, ... ) == 0x0
 03294   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03295   468   NtOpenKey  (0x1, {24, 32, 0x40, 0, 0,  (0x1, {24, 32, 0x40, 0, 0, "System\CurrentControlSet\Control\Session Manager\Environment"}, ... 420, ) }, ... 420, ) == 0x0
 03296   468   NtQueryKey  (420, Full, 176, ... {LastWrite={0x7838d13c,0x1c73999}, TitleIdx=0, Subkeys=0, Values=12, Class=""}, 44, ) == 0x0
 03297   468   NtQuerySecurityObject  (420, 7, 0, ... ) == STATUS_ACCESS_DENIED
 03298   468   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03299   468   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03300   468   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03301   468   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03302   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03303   468   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03304   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03305   468   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03306   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03307   468   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03308   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03309   468   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03310   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03311   468   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03312   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03313   468   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03314   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03315   468   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03316   468   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03317   468   NtEnumerateValueKey  (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) , Data= (420, 0, Full, 220, ... TitleIdx=0, Type=2, Name="ComSpec", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0c\0m\0d\0.\0e\0x\0e\0\0\0"}, 96, ) }, 96, ) == 0x0
 03318   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03319   468   NtEnumerateValueKey  (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) , Data= (420, 1, Full, 220, ... TitleIdx=0, Type=2, Name="Path", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0;\0%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0W\0b\0e\0m\0\0\0"}, 152, ) }, 152, ) == 0x0
 03320   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03321   468   NtEnumerateValueKey  (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) , Data= (420, 2, Full, 220, ... TitleIdx=0, Type=2, Name="windir", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\0\0"}, 58, ) }, 58, ) == 0x0
 03322   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03323   468   NtEnumerateValueKey  (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) , Data= (420, 3, Full, 220, ... TitleIdx=0, Type=1, Name="OS", Data="W\0i\0n\0d\0o\0w\0s\0_\0N\0T\0\0\0"}, 46, ) }, 46, ) == 0x0
 03324   468   NtEnumerateValueKey  (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) , Data= (420, 4, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_ARCHITECTURE", Data="x\08\06\0\0\0"}, 72, ) }, 72, ) == 0x0
 03325   468   NtEnumerateValueKey  (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) , Data= (420, 5, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_LEVEL", Data="1\05\0\0\0"}, 58, ) }, 58, ) == 0x0
 03326   468   NtEnumerateValueKey  (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) , Data= (420, 6, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_IDENTIFIER", Data="x\08\06\0 \0F\0a\0m\0i\0l\0y\0 \01\05\0 \0M\0o\0d\0e\0l\0 \04\0 \0S\0t\0e\0p\0p\0i\0n\0g\0 \08\0,\0 \0G\0e\0n\0u\0i\0n\0e\0I\0n\0t\0e\0l\0\0\0"}, 154, ) }, 154, ) == 0x0
 03327   468   NtEnumerateValueKey  (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) , Data= (420, 7, Full, 220, ... TitleIdx=0, Type=1, Name="PROCESSOR_REVISION", Data="0\04\00\08\0\0\0"}, 66, ) }, 66, ) == 0x0
 03328   468   NtEnumerateValueKey  (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) , Data= (420, 8, Full, 220, ... TitleIdx=0, Type=1, Name="NUMBER_OF_PROCESSORS", Data="1\0\0\0"}, 64, ) }, 64, ) == 0x0
 03329   468   NtEnumerateValueKey  (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) , Data= (420, 9, Full, 220, ... TitleIdx=0, Type=1, Name="PATHEXT", Data=".\0C\0O\0M\0;\0.\0E\0X\0E\0;\0.\0B\0A\0T\0;\0.\0C\0M\0D\0;\0.\0V\0B\0S\0;\0.\0V\0B\0E\0;\0.\0J\0S\0;\0.\0J\0S\0E\0;\0.\0W\0S\0F\0;\0.\0W\0S\0H\0\0\0"}, 134, ) }, 134, ) == 0x0
 03330   468   NtEnumerateValueKey  (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 10, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03331   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03332   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03333   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238728, ... ) }, 1238728, ... ) == 0x0
 03334   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03335   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03336   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03337   468   NtEnumerateValueKey  (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) , Data= (420, 11, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0T\0E\0M\0P\0\0\0"}, 64, ) }, 64, ) == 0x0
 03338   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03339   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03340   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\TEMP"}, 1238728, ... ) }, 1238728, ... ) == 0x0
 03341   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03342   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03343   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03344   468   NtClose  (420, ... ) == 0x0
 03345   468   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... 420, ) }, ... 420, ) == 0x0
 03346   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "ActiveComputerName"}, ... 424, ) }, ... 424, ) == 0x0
 03347   468   NtQueryValueKey  (424,  (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Full, 108, ... TitleIdx=0, Type=1, Name= (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) , Data= (424, "ComputerName", Full, 108, ... TitleIdx=0, Type=1, Name="ComputerName", Data="M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 60, ) }, 60, ) == 0x0
 03348   468   NtClose  (424, ... ) == 0x0
 03349   468   NtClose  (420, ... ) == 0x0
 03350   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03351   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03352   468   NtQueryValueKey  (420,  (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (420, "ProfilesDirectory", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\0\0"}, 86, ) }, 86, ) == 0x0
 03353   468   NtClose  (420, ... ) == 0x0
 03354   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList"}, ... 420, ) }, ... 420, ) == 0x0
 03355   468   NtQueryValueKey  (420,  (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "DefaultUserProfile", Partial, 144, ... TitleIdx=0, Type=1, Data="D\0e\0f\0a\0u\0l\0t\0 \0U\0s\0e\0r\0\0\0"}, 38, ) }, 38, ) == 0x0
 03356   468   NtClose  (420, ... ) == 0x0
 03357   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03358   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion"}, ... 420, ) }, ... 420, ) == 0x0
 03359   468   NtQueryValueKey  (420,  (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "ProgramFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\0\0"}, 46, ) }, 46, ) == 0x0
 03360   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03361   468   NtQueryValueKey  (420,  (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (420, "CommonFilesDir", Partial, 144, ... TitleIdx=0, Type=1, Data="C\0:\0\\0P\0r\0o\0g\0r\0a\0m\0 \0F\0i\0l\0e\0s\0\\0C\0o\0m\0m\0o\0n\0 \0F\0i\0l\0e\0s\0\0\0"}, 72, ) }, 72, ) == 0x0
 03362   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03363   468   NtClose  (420, ... ) == 0x0
 03364   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03365   468   NtOpenKey  (0x20019, {24, 388, 0x40, 0, 0,  (0x20019, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 420, ) }, ... 420, ) == 0x0
 03366   468   NtOpenThreadToken  (-2, 0x2000c, 1, ... ) == STATUS_NO_TOKEN
 03367   468   NtQueryInformationToken  (416, Type, 4, ... {token info, class 8, size 4}, 4, ) == 0x0
 03368   468   NtDuplicateToken  (416, 0xc, {24, 0, 0x0, 0, 1240112, 0x0}, 0, 2, ... ) == STATUS_ACCESS_DENIED
 03369   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03370   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03371   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 424, ) == 0x0
 03372   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03373   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03374   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238316,  (0xc0100080, {24, 0, 0x40, 0, 1238316, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 432, {status=0x0, info=1}, ) == 0x0
 03375   468   NtSetInformationFile  (432, 1238372, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03376   468   NtSetInformationFile  (432, 1238364, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03377   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03378   468   NtWriteFile  (432, 197, 0, 0,  (432, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03379   468   NtReadFile  (432, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (432, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03380   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\340\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20l \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03381   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\30\354\22\0\1\0\0\0X\304\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\30\354\22\0\1\0\0\0X\304\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03382   468   NtFsControlFile  (432, 197, 0x0, 0x0, 0x11c017,  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\347\25\0\1\0\0\0\324\347\25\0 \0\0\0\1\0\0\0\16\0\20\0\340\347\25\0\360\347\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (432, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\2B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\347\25\0\1\0\0\0\324\347\25\0 \0\0\0\1\0\0\0\16\0\20\0\340\347\25\0\360\347\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03383   468   NtClose  (424, ... ) == 0x0
 03384   468   NtClose  (432, ... ) == 0x0
 03385   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03386   468   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 432, ) == 0x0
 03387   468   NtOpenThreadToken  (-2, 0xc, 1, ... ) == STATUS_NO_TOKEN
 03388   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03389   468   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 1238312,  (0xc0100080, {24, 0, 0x40, 0, 1238312, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 0, 3, 1, 64, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03390   468   NtSetInformationFile  (424, 1238368, 8, Pipe, ... {status=0x0, info=0}, ) == 0x0
 03391   468   NtSetInformationFile  (424, 1238360, 8, Completion, ... {status=0x0, info=0}, ) == 0x0
 03392   468   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ... ) == 0x0
 03393   468   NtWriteFile  (424, 197, 0, 0,  (424, 197, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... {status=0x0, info=72}, ) , 72, {0, 0}, 0, ... {status=0x0, info=72}, ) == 0x0
 03394   468   NtReadFile  (424, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68},  (424, 197, 0, 0, 1024, {0, 0}, 0, ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 03395   468   NtFsControlFile  (424, 197, 0x0, 0x0, 0x11c017,  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , 64, 1024, ... {status=0x103, info=68},  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\334\353\22\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20m \0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 03396   468   NtFsControlFile  (424, 197, 0x0, 0x0, 0x11c017,  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\354\22\0\1\0\0\0X\304\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , 116, 1024, ... {status=0x103, info=48},  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0t\0\0\0\2\0\0\0\\0\0\0\0\09\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305\1\0\0\0\24\354\22\0\1\0\0\0X\304\25\0\5\0\0\0\1\5\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\353\3\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 116, 1024, ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305\0\0\0\0", ) , ) == 0x103
 03397   468   NtFsControlFile  (424, 197, 0x0, 0x0, 0x11c017,  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\347\25\0\1\0\0\0\324\347\25\0 \0\0\0\1\0\0\0\16\0\20\0\340\347\25\0\360\347\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , 44, 1024, ... {status=0x103, info=180},  (424, 197, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\3B\374\3\315~\334\21\261\310\0\14)\371\246\305", 44, 1024, ... {status=0x103, info=180}, "\5\0\2\3\20\0\0\0\264\0\0\0\2\0\0\0\234\0\0\0\0\0\0\0\310\347\25\0\1\0\0\0\324\347\25\0 \0\0\0\1\0\0\0\16\0\20\0\340\347\25\0\360\347\25\0\10\0\0\0\0\0\0\0\7\0\0\0M\0Y\0W\0O\0R\0L\0D\0O\0\4\0\0\0\1\4\0\0\0\0\0\5\25\0\0\0\3757B@\335\350\344\34C\27\122\1\0\0\0\300/\25\0\1\0\0\0\1\0\0\0\20\0\22\0\324/\25\0\0\0\0\0\0\0\0\0\11\0\0\0\0\0\0\0\10\0\0\0S\0R\0I\0-\0u\0s\0e\0r\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 03398   468   NtClose  (432, ... ) == 0x0
 03399   468   NtClose  (424, ... ) == 0x0
 03400   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03401   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03402   468   NtQueryInformationToken  (416, User, 200, ... {token info, class 1, size 36}, 36, ) == 0x0
 03403   468   NtOpenKey  (0x20019, {24, 32, 0x40, 0, 0,  (0x20019, {24, 32, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1078081533-484763869-839522115-1003"}, ... 424, ) }, ... 424, ) == 0x0
 03404   468   NtQueryValueKey  (424,  (424, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) , Partial, 144, ... TitleIdx=0, Type=2, Data= (424, "ProfileImagePath", Partial, 144, ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0D\0r\0i\0v\0e\0%\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 104, ) }, 104, ) == 0x0
 03405   468   NtClose  (424, ... ) == 0x0
 03406   468   NtCreateKey  (0x2001f, {24, 420, 0x40, 0, 0,  (0x2001f, {24, 420, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon"}, 0, 0x0, 0, ... 424, 2, ) }, 0, 0x0, 0, ... 424, 2, ) == 0x0
 03407   468   NtQueryValueKey  (424,  (424, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (424, "ParseAutoexec", Partial, 144, ... TitleIdx=0, Type=1, Data="1\0\0\0"}, 16, ) }, 16, ) == 0x0
 03408   468   NtClose  (424, ... ) == 0x0
 03409   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03410   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03411   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\c:\autoexec.bat"}, 1240016, ... ) }, 1240016, ... ) == 0x0
 03412   468   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1240024,  (0x80100080, {24, 0, 0x40, 0, 1240024, "\??\c:\autoexec.bat"}, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 424, {status=0x0, info=1}, ) == 0x0
 03413   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03414   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03415   468   NtQueryInformationFile  (424, 1240040, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03416   468   NtReadFile  (424, 0, 0, 0, 0, 0x0, 0, ... {status=0x0, info=0}, "", ) == 0x0
 03417   468   NtClose  (424, ... ) == 0x0
 03418   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Environment"}, ... 424, ) }, ... 424, ) == 0x0
 03419   468   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03420   468   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03421   468   NtEnumerateValueKey  (424, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03422   468   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=2, Name="TEMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03423   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03424   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03425   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238756, ... ) }, 1238756, ... ) == 0x0
 03426   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03427   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03428   468   NtClose  (432, ... ) == 0x0
 03429   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03430   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03431   468   NtClose  (432, ... ) == 0x0
 03432   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03433   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03434   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03435   468   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=2, Name="TMP", Data="%\0U\0S\0E\0R\0P\0R\0O\0F\0I\0L\0E\0%\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0\0\0"}, 96, ) }, 96, ) == 0x0
 03436   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03437   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03438   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Local Settings\Temp"}, 1238756, ... ) }, 1238756, ... ) == 0x0
 03439   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03440   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Documents and Settings", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0
 03441   468   NtClose  (432, ... ) == 0x0
 03442   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\"}, 3, 16417, ... 432, {status=0x0, info=1}, ) }, 3, 16417, ... 432, {status=0x0, info=1}, ) == 0x0
 03443   468   NtQueryDirectoryFile  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1,  (432, 0, 0, 0, 1238116, 616, BothDirectory, 1, "Local Settings", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0
 03444   468   NtClose  (432, ... ) == 0x0
 03445   468   NtQueryInformationProcess  (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0
 03446   468   NtSetInformationProcess  (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0
 03447   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03448   468   NtEnumerateValueKey  (424, 2, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03449   468   NtClose  (424, ... ) == 0x0
 03450   468   NtOpenKey  (0x20019, {24, 420, 0x40, 0, 0,  (0x20019, {24, 420, 0x40, 0, 0, "Volatile Environment"}, ... 424, ) }, ... 424, ) == 0x0
 03451   468   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03452   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03453   468   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03454   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03455   468   NtEnumerateValueKey  (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03456   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03457   468   NtEnumerateValueKey  (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03458   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03459   468   NtEnumerateValueKey  (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03460   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03461   468   NtEnumerateValueKey  (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03462   468   NtQueryVirtualMemory  (-1, 0x960000, Basic, 28, ... {BaseAddress=0x960000,AllocationBase=0x960000,AllocationProtect=0x4,RegionSize=0x1000,State=0x1000,Protect=0x4,Type=0x20000,}, 0x0, ) == 0x0
 03463   468   NtEnumerateValueKey  (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03464   468   NtEnumerateValueKey  (424, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03465   468   NtEnumerateValueKey  (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) , Data= (424, 0, Full, 220, ... TitleIdx=0, Type=1, Name="LOGONSERVER", Data="\\0\\0M\0Y\0W\0O\0R\0L\0D\0\0\0"}, 64, ) }, 64, ) == 0x0
 03466   468   NtEnumerateValueKey  (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) , Data= (424, 1, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEDRIVE", Data="C\0:\0\0\0"}, 46, ) }, 46, ) == 0x0
 03467   468   NtEnumerateValueKey  (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) , Data= (424, 2, Full, 220, ... TitleIdx=0, Type=1, Name="HOMEPATH", Data="\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\0\0"}, 102, ) }, 102, ) == 0x0
 03468   468   NtEnumerateValueKey  (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) , Data= (424, 3, Full, 220, ... TitleIdx=0, Type=1, Name="CLIENTNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 56, ) }, 56, ) == 0x0
 03469   468   NtEnumerateValueKey  (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) , Data= (424, 4, Full, 220, ... TitleIdx=0, Type=1, Name="SESSIONNAME", Data="C\0o\0n\0s\0o\0l\0e\0\0\0"}, 60, ) }, 60, ) == 0x0
 03470   468   NtEnumerateValueKey  (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) , Data= (424, 5, Full, 220, ... TitleIdx=0, Type=1, Name="APPDATA", Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0"}, 140, ) }, 140, ) == 0x0
 03471   468   NtEnumerateValueKey  (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) , Data= (424, 6, Full, 220, ... TitleIdx=0, Type=1, Name="HOMESHARE", Data="\0\0"}, 42, ) }, 42, ) == 0x0
 03472   468   NtEnumerateValueKey  (424, 7, Full, 220, ... ) == STATUS_NO_MORE_ENTRIES
 03473   468   NtClose  (424, ... ) == 0x0
 03474   468   NtClose  (420, ... ) == 0x0
 03475   468   NtFreeVirtualMemory  (-1, (0x960000), 0, 32768, ... (0x960000), 4096, ) == 0x0
 03476   468   NtClose  (428, ... ) == 0x0
 03477   468   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data"}, 1240680, ... ) }, 1240680, ... ) == 0x0
 03478   468   NtQueryInformationToken  (416, User, 64, ... {token info, class 1, size 36}, 36, ) == 0x0
 03479   468   NtOpenKey  (0x2001f, {24, 388, 0x40, 0, 0,  (0x2001f, {24, 388, 0x40, 0, 0, "S-1-5-21-1078081533-484763869-839522115-1003"}, ... 428, ) }, ... 428, ) == 0x0
 03480   468   NtCreateKey  (0x2000000, {24, 428, 0x40, 0, 0,  (0x2000000, {24, 428, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, 0, 0x0, 0, ... 420, 2, ) }, 0, 0x0, 0, ... 420, 2, ) == 0x0
 03481   468   NtClose  (428, ... ) == 0x0
 03482   468   NtSetValueKey  (420,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 0, 1,  (420, "AppData", 0, 1, "C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0S\0R\0I\0-\0u\0s\0e\0r\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0", 104, ... ) , 104, ... ) == 0x0
 03483   468   NtClose  (420, ... ) == 0x0
 03484   468   NtClose  (416, ... ) == 0x0
 03485   468   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\Documents and Settings\SRI-user\Application Data\Microsoft\Network\Connections\Pbk\"}, 3, 16417, ... ) }, 3, 16417, ... ) == STATUS_OBJECT_PATH_NOT_FOUND
 03486   468   NtWaitForSingleObject  (96, 0, 0x0, ... ) == 0x0
 03487   468   NtQueryInformationFile  (92, 1241728, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 03488   468   NtReleaseMutant  (96, ... 0x0, ) == 0x0
 03489   468   NtReleaseMutant  (144, ... 0x0, ) == 0x0
 03490   468   NtClearEvent  (156, ... ) == 0x0
 03491   468   NtSetEvent  (156, ... 0x0, ) == 0x0
 03492   468   NtTerminateProcess  (0, 0, ... ) == 0x0
 03493   468   NtUnmapViewOfSection  (-1, 0x950000, ... ) == 0x0
 03494   468   NtClose  (412, ... ) == 0x0
 03495   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x14,}, 4, ... ) == 0x0
 03496   468   NtUnmapViewOfSection  (-1, 0x8e0000, ... ) == 0x0
 03497   468   NtClose  (404, ... ) == 0x0
 03498   468   NtClose  (392, ... ) == 0x0
 03499   468   NtClose  (400, ... ) == 0x0
 03500   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x13,}, 4, ... ) == 0x0
 03501   468   NtFreeVirtualMemory  (-1, (0x8d0000), 0, 32768, ... (0x8d0000), 65536, ) == 0x0
 03502   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x12,}, 4, ... ) == 0x0
 03503   468   NtClose  (384, ... ) == 0x0
 03504   468   NtFreeVirtualMemory  (-1, (0x8c0000), 0, 32768, ... (0x8c0000), 65536, ) == 0x0
 03505   468   NtClose  (308, ... ) == 0x0
 03506   468   NtClose  (312, ... ) == 0x0
 03507   468   NtClose  (320, ... ) == 0x0
 03508   468   NtClose  (316, ... ) == 0x0
 03509   468   NtClose  (324, ... ) == 0x0
 03510   468   NtClose  (300, ... ) == 0x0
 03511   468   NtClose  (304, ... ) == 0x0
 03512   468   NtClose  (340, ... ) == 0x0
 03513   468   NtClose  (336, ... ) == 0x0
 03514   468   NtClose  (332, ... ) == 0x0
 03515   468   NtClose  (328, ... ) == 0x0
 03516   468   NtClose  (296, ... ) == 0x0
 03517   468   NtClose  (284, ... ) == 0x0
 03518   468   NtClose  (280, ... ) == 0x0
 03519   468   NtClose  (360, ... ) == 0x0
 03520   468   NtClose  (364, ... ) == 0x0
 03521   468   NtClose  (368, ... ) == 0x0
 03522   468   NtClose  (372, ... ) == 0x0
 03523   468   NtSetEvent  (356, ... 0x0, ) == 0x0
 03524   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x10,}, 4, ... ) == 0x0
 03525   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x11,}, 4, ... ) == 0x0
 03526   468   NtClose  (272, ... ) == 0x0
 03527   468   NtUnmapViewOfSection  (-1, 0x940000, ... ) == 0x0
 03528   468   NtClose  (276, ... ) == 0x0
 03529   468   NtClose  (268, ... ) == 0x0
 03530   468   NtClose  (256, ... ) == 0x0
 03531   468   NtClose  (260, ... ) == 0x0
 03532   468   NtClose  (264, ... ) == 0x0
 03533   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xf,}, 4, ... ) == 0x0
 03534   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xe,}, 4, ... ) == 0x0
 03535   468   NtWaitForMultipleObjects  (2, (236, 232, ), 1, 0, 0x0, ... ) == 0x1
 03536   468   NtClose  (232, ... ) == 0x0
 03537   468   NtSetEvent  (236, ... 0x0, ) == 0x0
 03538   468   NtClose  (236, ... ) == 0x0
 03539   468   NtWaitForMultipleObjects  (2, (240, 244, ), 1, 0, 0x0, ... ) == 0x1
 03540   468   NtClose  (244, ... ) == 0x0
 03541   468   NtSetEvent  (240, ... 0x0, ) == 0x0
 03542   468   NtClose  (240, ... ) == 0x0
 03543   468   NtWaitForMultipleObjects  (2, (248, 252, ), 1, 0, 0x0, ... ) == 0x1
 03544   468   NtClose  (252, ... ) == 0x0
 03545   468   NtSetEvent  (248, ... 0x0, ) == 0x0
 03546   468   NtClose  (248, ... ) == 0x0
 03547   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xd,}, 4, ... ) == 0x0
 03548   468   NtClose  (344, ... ) == 0x0
 03549   468   NtClose  (348, ... ) == 0x0
 03550   468   NtClose  (356, ... ) == 0x0
 03551   468   NtClose  (352, ... ) == 0x0
 03552   468   NtFreeVirtualMemory  (-1, (0x900000), 0, 32768, ... (0x900000), 262144, ) == 0x0
 03553   468   NtUserUnregisterClass  (1244504, 1991376896, 1244492, ... ) == 0x0
 03554   468   NtUnmapViewOfSection  (-1, 0x8b0000, ... ) == 0x0
 03555   468   NtClose  (220, ... ) == 0x0
 03556   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc03b
 03557   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03558   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc03d
 03559   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03560   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc03f
 03561   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03562   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc041
 03563   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03564   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc043
 03565   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03566   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc045
 03567   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03568   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc047
 03569   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03570   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc049
 03571   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03572   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc04b
 03573   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03574   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc04d
 03575   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03576   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc04f
 03577   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03578   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc051
 03579   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03580   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc053
 03581   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03582   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc057
 03583   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03584   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc059
 03585   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03586   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc05b
 03587   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03588   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc05d
 03589   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03590   468   NtUserGetClassInfo  (1999896576, 1244592, 1244544, 1244620, 0, ... ) == 0xc05f
 03591   468   NtUserUnregisterClass  (1244596, 1999896576, 1244584, ... ) == 0x1
 03592   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0xa,}, 4, ... ) == 0x0
 03593   468   NtClose  (108, ... ) == 0x0
 03594   468   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 03595   468   NtClose  (112, ... ) == 0x0
 03596   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x8,}, 4, ... ) == 0x0
 03597   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x9,}, 4, ... ) == 0x0
 03598   468   NtClose  (80, ... ) == 0x0
 03599   468   NtClose  (68, ... ) == 0x0
 03600   468   NtClose  (84, ... ) == 0x0
 03601   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc03b
 03602   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03603   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc03d
 03604   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03605   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc03f
 03606   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03607   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc041
 03608   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03609   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc043
 03610   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03611   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc045
 03612   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03613   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc047
 03614   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03615   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc049
 03616   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03617   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc04b
 03618   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03619   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc04d
 03620   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03621   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc04f
 03622   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03623   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc051
 03624   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03625   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc053
 03626   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03627   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc057
 03628   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03629   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc059
 03630   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03631   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc05b
 03632   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03633   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc05d
 03634   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03635   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc05f
 03636   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03637   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc017
 03638   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03639   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc019
 03640   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03641   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc018
 03642   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03643   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc01a
 03644   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03645   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc01c
 03646   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03647   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc01e
 03648   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03649   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc01b
 03650   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03651   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc068
 03652   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03653   468   NtUserGetClassInfo  (1905590272, 1244592, 1244544, 1244620, 0, ... ) == 0xc06a
 03654   468   NtUserUnregisterClass  (1244596, 1905590272, 1244584, ... ) == 0x1
 03655   468   NtUnmapViewOfSection  (-1, 0x860000, ... ) == 0x0
 03656   468   NtClose  (76, ... ) == 0x0
 03657   468   NtClose  (64, ... ) == 0x0
 03658   468   NtWaitForSingleObject  (132, 0, 0x0, ... ) == 0x0
 03659   468   NtClearEvent  (132, ... ) == 0x0
 03660   468   NtSetEvent  (132, ... 0x0, ) == 0x0
 03661   468   NtClose  (132, ... ) == 0x0
 03662   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x6,}, 4, ... ) == 0x0
 03663   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x1,}, 4, ... ) == 0x0
 03664   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x2,}, 4, ... ) == 0x0
 03665   468   NtSetInformationThread  (-2, ZeroTlsCell, {ZeroTlsCell=0x3,}, 4, ... ) == 0x0
 03666   468   NtFreeVirtualMemory  (-1, (0x0), 0, 32768, ... ) == STATUS_MEMORY_NOT_ALLOCATED
 03667   468   NtRequestWaitReplyPort  (24, {20, 48, new_msg, 0, 2011667056, 1310720, 0, 2011667075}  (24, {20, 48, new_msg, 0, 2011667056, 1310720, 0, 2011667075} "\0\0\0\0\3\0\1\0\345\3\0\0\16\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 468, 1602, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\16\0\0\0\0\0\0\0" )  ... {20, 48, reply, 0, 464, 468, 1602, 0}  (24, {20, 48, new_msg, 0, 2011667056, 1310720, 0, 2011667075} "\0\0\0\0\3\0\1\0\345\3\0\0\16\0\0\0\0\0\0\0" ... {20, 48, reply, 0, 464, 468, 1602, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\16\0\0\0\0\0\0\0" )  ) == 0x0
 03668   468   NtTerminateProcess  (-1, 0, ...
 03669   468   NtClose  (44, ... ) == 0x0
NtAccessCheck(>)	1	NtCreateIoCompletion(>)	2	NtFlushInstructionCache(>)	11	NtQueryInformationToken(>)	44
NtAddAtom(>)	1	NtGdiCreateSolidBrush(>)	2	NtEnumerateKey(>)	12	NtSetInformationThread(>)	44
NtCallbackReturn(>)	1	NtOpenDirectoryObject(>)	2	NtOpenProcessToken(>)	12	NtFsControlFile(>)	45
NtContinue(>)	1	NtQueryInstallUILanguage(>)	2	NtOpenProcessTokenEx(>)	12	NtOpenThreadToken(>)	45
NtGdiCreateBitmap(>)	1	NtTerminateProcess(>)	2	NtOpenThreadTokenEx(>)	12	NtUserUnregisterClass(>)	46
NtGdiInit(>)	1	NtDeleteValueKey(>)	3	NtQueryDefaultUILanguage(>)	12	NtUserFindExistingCursorIcon(>)	48
NtGdiQueryFontAssocInfo(>)	1	NtGdiCreateCompatibleDC(>)	3	NtSetEvent(>)	13	NtSetInformationProcess(>)	50
NtGdiSelectBitmap(>)	1	NtWaitForMultipleObjects(>)	3	NtWriteFile(>)	14	NtQueryInformationProcess(>)	54
NtOpenKeyedEvent(>)	1	NtDuplicateObject(>)	4	NtDeviceIoControlFile(>)	19	NtCreateEvent(>)	55
NtOpenProcess(>)	1	NtNotifyChangeKey(>)	4	NtReadFile(>)	19	NtOpenSection(>)	55
NtOpenSymbolicLinkObject(>)	1	NtUserRegisterWindowMessage(>)	4	NtProtectVirtualMemory(>)	22	NtCreateKey(>)	57
NtQueryEvent(>)	1	NtDuplicateToken(>)	5	NtQueryInformationFile(>)	22	NtWaitForSingleObject(>)	59
NtQueryObject(>)	1	NtGdiGetStockObject(>)	5	NtUnmapViewOfSection(>)	22	NtUserRegisterClassExWOW(>)	63
NtQuerySymbolicLinkObject(>)	1	NtQuerySecurityObject(>)	5	NtRequestWaitReplyPort(>)	25	NtMapViewOfSection(>)	70
NtQuerySystemTime(>)	1	NtSetInformationObject(>)	5	NtSetValueKey(>)	27	NtUserGetClassInfo(>)	82
NtQueryTimerResolution(>)	1	NtConnectPort(>)	7	NtQueryDebugFilterState(>)	29	NtOpenFile(>)	101
NtRegisterThreadTerminatePort(>)	1	NtOpenEvent(>)	7	NtQueryDirectoryFile(>)	29	NtAllocateVirtualMemory(>)	109
NtSecureConnectPort(>)	1	NtReleaseSemaphore(>)	7	NtQuerySystemInformation(>)	29	NtQueryAttributesFile(>)	146
NtTestAlert(>)	1	NtClearEvent(>)	8	NtQuerySection(>)	31	NtQueryVirtualMemory(>)	197
NtUserCallNoParam(>)	1	NtCreateMutant(>)	8	NtFreeVirtualMemory(>)	35	NtEnumerateValueKey(>)	231
NtUserCallOneParam(>)	1	NtQueryKey(>)	8	NtReleaseMutant(>)	35	NtOpenKey(>)	291
NtUserGetDC(>)	1	NtQueryVolumeInformationFile(>)	8	NtCreateFile(>)	40	NtQueryValueKey(>)	471
NtUserGetObjectInformation(>)	1	NtOpenMutant(>)	9	NtQueryDefaultLocale(>)	40	NtClose(>)	553
NtUserGetProcessWindowStation(>)	1	NtUserSystemParametersInfo(>)	10	NtSetInformationFile(>)	41
NtUserGetThreadDesktop(>)	1	NtCreateSemaphore(>)	11